Installing and Configuring Windows 10, with an Eye Toward Security

This post distills the extensive discussions in numerous (e.g., 1 2 3 4 5) previous posts on Windows 10 installation, and in an extensive recent post on security, to provide a step-by-step guide through Win10 installation and customization. In many places, brief comments in this post are supplemented by links to more detailed explanations in those prior posts. Where possible, the links lead to the relevant sections. That is, seemingly redundant links may actually be leading to different places.

Most of this post applies to 2018 and 2019 versions of Windows 10 x64 Pro and Home, on desktop and laptop computers, drawing on and explaining the advice provided by various sources. These steps would ideally be completed in a single session, or at least without allowing any opportunity for an intruder to gain physical access to the system before protections were in place.

Skimming through this post is not recommended. I hate that it’s so long — if you think reading it is a chore, you should try writing it — but many steps assume use of, or at least familiarity with, previous steps. If you’re getting weird results, it may be because some earlier step is missing.

If the user had an urgent need for access to data files on the target computer, or for related hardware (e.g., a Blu-ray drive installed in a desktop computer), one short-term (or possibly even long-term) solution would be to set up a Windows To Go USB drive, as described in another post.

Note that commands, in this post, are in italics, and are most effectively entered at an elevated command prompt, available via Win-R > cmd > Ctrl-Shift-Enter. “Win-R” means hold the Windows key (a/k/a WinKey), near the lower left corner of the standard keyboard, and hit the letter R. Win-R opened the Run dialog, and Win-I opened Settings. (On revisiting this post a few months later, I am chagrined to discover that WordPress has arbitrarily eliminated backslashes in directory names, leaving many folder references difficult if not impossible to understand.)

The steps described in this post vary in their degree of risk. Most of the more risky steps come later, but there are no guarantees. This post tries to explain things in terms that relative novices can understand, but that should not be taken as an invitation for relative novices to set forth and blindly do everything described here. These steps worked for me, to varying degrees, but I have no way of knowing what kind of damage they may do for others. Proceed at your own risk.

Note: some kind of glitch at WordPress removed all occurrences of the backslash () key throughout this post. I have gone through and restored them as well as I could. Be advised that I did not have time to re-research all commands, batch files, addresses, etc. in which backslash characters previously appeared. It is possible that my restore effort could have misplaced a backslash in one or more places. It would be advisable to test or examine places where backslashes don’t appear but should, or do appear but may be misplaced. I don’t think there will be many instances of such error. There may not be any at all. As I say, I couldn’t re-research each such instance at the time when I spotted the error and made the first repair effort.

Contents

Preliminary Security Concerns
Initial Windows Installation
Preparing to Go Online
Pre-Program Tweaks
Program Installation
Post-Program Tweaks
SSD Configuration
Drive Image: Reducing Sensitive Data
Later and Riskier Tweaks
Miscellaneous Tweaks
Context Menu Editing
SendTo Submenu
Other Tweaking Tools
Move User Folders
Using This Installation Elsewhere
Encrypting Drive C

.

Preliminary Security Concerns

As discussed at length in the security post, there were indefinitely many possible security threats to the physical possession of a computer and to its data. Some of those threats needed to be considered at the outset, before beginning to install Windows. For the beginning stage, topics discussed in that security post, and not detailed here, include deciding what threat one was protecting against; understanding what counted as a good password; making physical arrangements to protect against theft and against digital attacks (e.g., evil maid, cold boot, DMA), conducted remotely or by people with physical access to the computer; device recovery services and measures (e.g., LoJack); steps to reduce exposure of data that did not really need to be put within an intruder’s reach; and backup (against e.g., ransomware). While it was generally not possible to protect completely against such potential threats, it was probably advisable to do some reading on such matters, so as to become aware of problems and solutions that might not be obvious to the ordinary computer user. The present post’s security orientation arises within the practical tasks of installing and customizing Windows, and thus does not review most of those topics.

Initial Windows Installation

I was installing to a solid state drive (SSD). The computer also had a hard disk drive (HDD). At the start, I temporarily disconnected the HDD. Doing so would prevent any viruses on the HDD from infecting my installation before I had antivirus software in place, and it would prevent me from accidentally wiping out my data by installing Windows on the wrong partition. As a further antivirus measure, at the beginning I wanted to remove or at least disable networking hardware, so as to postpone the risk of infection from sources online. For that, I could turn off the router and/or unplug the WiFi USB dongle and ethernet cable.

Some of the following comments refer to the BIOS. What is commonly called “the BIOS” is the firmware code that enables computer hardware to start and run computer software — including, in this case, an operating system like Windows. BIOS was actually the older (“legacy”) system. On newer computers, it was replaced by UEFI. But it was still common (albeit sometimes confusing) to refer to UEFI as the BIOS. It could be helpful and sometimes essential to change certain settings in the BIOS setup utility. Access to that utility was often concealed by a splash screen showing the manufacturer’s name (e.g., Dell) when first starting the computer. The user’s manual for the computer or its motherboard would typically explain how to disable the splash screen and/or turn on the more informative Power-On Self Test (POST) screen and leave that screen showing for several seconds, giving the user time to hit a key. The most likely keys at that point were F2 (to go into the BIOS setup utility) and F12 (to let the user choose from a list of bootable devices), but the user’s manual might indicate that the particular computer used other keys instead (e.g., F1, Del, Esc, or F10). As an example of a BIOS setting that the user might need to change, it might be necessary to turn off Secure Boot in order to boot some USB thumb drives.

I used a partition editor to look at my partitions. Useful free partition editors included MiniTool Partition Wizard, Parted Magic, GParted, and AOMEI Partition Assistant. I could also run the built-in Windows 10 Disk Management (diskmgmt.msc) tool from a Windows To Go drive. All of these could run from a bootable USB drive; some could also be installed on and run within Windows 10. The user could create a multiboot USB drive that would run any and all such tools when the BIOS was set to use Legacy rather than UEFI. The user could also set up a single-boot USB drive for each such tool individually, or could download a prepackaged UEFI multitool.

The first task, with a partition editor, was to set the SSD to use the newer and in some ways superior GPT rather than MBR partition structure. The next task was to decide whether and how to divide the SSD. The partition on which Windows would be installed (a/k/a drive C or the system drive) would have to be large enough to accommodate future growth, as Windows installations grew larger. For instance, TechRepublic (Sanders, 2019) observed that the disk space required for Win10 1903 rose to 32GB, obviating earlier suggestions that users allow 30GB (or less) for their Windows installations. The required size would depend on how much third-party software the user might install, and how often and well s/he would clean out old stuff. At this point, sources varied, but it was not uncommon to encounter suggestions that the user allow 100GB. But I’d recently had a Win10 installation larger than that. Drive space was getting cheaper, whereas enlarging an encrypted drive C could be time-consuming. I favored a drive C size of 150-200GB, using the rest of the SSD for a data partition. Note also the advice to keep at least 20% of an SSD free, for best performance. Although overprovisioning (OP) could improve performance, space allocated by the user for OP could expose user data to an intruder. Thus it seemed that the SSD should be entirely filled with formatted partitions — that none of it should be left unallocated. I would not want to assign drive letters in the partitioner: that was best done later. (Incidentally, although I was using a Samsung SSD, my experience supported criticisms of the Samsung Magician software (e.g., a 3.5-star rating at Softpedia). It was useful for purposes of obtaining information, but was not necessarily safe for purposes of making changes to the system.)

Partitioning would not necessarily eliminate all traces of sensitive data that may have existed on the drive previously. As detailed in a prior post, securely erasing an HDD could call for erasing it with something like DBAN, whereas securely erasing an SSD could be more complicated. It seemed that at least some SSDs might be incapable of being completely and securely wiped, at least without the aid of laboratory equipment. But it also appeared that considerable expertise would be required to exploit such SSD imperfections to jeopardize system security. I planned to encrypt all partitions on the SSD. Nonetheless, there was always the possibility that someone might find (or I might leave an opening into) those encrypted partitions. If the drive ever contained sensitive data, it might be advisable to consult that prior post and other sources for guidance on securely erasing the drive.

To ward off the unlikely possibility that my computer’s BIOS was infected with a rootkit, I used the motherboard manufacturer’s advice on flashing (i.e., updating or restoring a recent stable version of) the BIOS. Running wmic bios get smbiosbiosversion as recommended by How-To Geek (2018) gave me information on my current BIOS, but Speccy gave me the same information. I could run Speccy as an installed or portable program on the computer itself, or on a Windows To Go USB drive. For my ASUS motherboard, flashing the BIOS entailed downloading the desired BIOS update in the form of a CAP file, putting it on a USB drive, and then booting the machine, hitting F2 to go into BIOS settings, and using the menu > Tool > EZ Flash Setup utility to select the drive, select the CAP file, and “read” (i.e., install) it, making sure nothing would interfere with the computer’s power during the next few seconds. It rebooted. I went back into BIOS and worked my way through the settings, making sure to set up passwords both for entry back into the BIOS setup utility and to boot the Windows system. I also verified (at BIOS > Advanced > PCH Storage Configuration) that SATA Mode was set to AHCI rather than RAID or legacy IDE. My other BIOS setting was to turn on the NumLock key on my standard keyboard by default.

My preferred method of preparing a Windows 10 installer suitable for the target computer was to use the Windows Media Creation Tool, on another computer, to download the Windows 10 installation file as an ISO (so that I could recreate the installation tool as needed), install it on a USB drive using Rufus (or some other bootable USB creator), and then boot the USB drive to install Windows. (Apparently there were still alternate ways of downloading the desired ISO.) In Rufus, I created the installation tool using the Standard Windows Installation (not Windows To Go) option. (Note that that option would appear only after selecting a Windows ISO.)

I booted the target computer with that Win10 USB installer to commence the installation process. I clicked through the default values on most screens. First exception: at the Activate Windows screen, I clicked “I don’t have a product key” because I had already activated Win10 on this hardware: Windows would sort out the activation by itself. I chose the version (i.e., Win10 Pro) matching that previous installation. I chose Custom rather than Upgrade installation.

After a reboot, with the USB drive removed, in response to “Let’s connect you to a network,” I clicked “I don’t have internet” and then “Continue with limited setup.” It seemed that, if I designated a means of Internet access at this point, that would get turned on upon reboot, even if I disconnected Internet access during this session. If I wanted to keep Internet access turned off, I might want to try Win-R > devmgmt.msc > expand Network Adapters > right-click > disable wireless or other network adapters. At least on this system, that change would survive a reboot. I could also use Win-I > Network & Internet > Airplane Mode > On. And in Win-I > Network & Internet, I could use Status > Show available networks.

When I indicated that I didn’t have an Internet connection, the installer set up a “local” (a/k/a “Windows”) account rather than a “Microsoft” account. A local account was just a traditional user account, specific to this computer, whereas a Microsoft account was shared across all Microsoft services and devices. As discussed in the security post, each had its advantages, but the local account was simpler and more secure. If desired, I could change the local account to a Microsoft account later, and back again. (For reasons discussed below, that’s exactly what I did at one point in this process.) One advantage of the local account became clear immediately: I was able to choose my own account name. I chose the name “Ray (Admin),” because the default account was an administrator’s account. When it asked for a password, I entered nothing and clicked Next, so as to avoid being prompted for answers to security questions that could provide an opening to an intruder.

If I had gone for a Microsoft account instead of a local account — that is, if I had proceeded to set up an Internet connection during installation — there would be additional issues:

  • To sign in at the “Sign in with Microsoft” installation screen — that is, to create a Microsoft account on this computer — I would enter my Microsoft email address (in my case, a Hotmail address) and click Next. When it then requested a password, it was requesting the password that I used to log into Hotmail, not the password that I might want to use, or might previously have used, for a local Windows account on this computer.
  • It was advisable to set up a PIN at this point, when the installer gave me the opportunity. As detailed in the security post, a PIN was more secure because it would be checked only within the machine itself, not sent over the Internet like a password.

In the last stages of the installation process, I opted out of every opportunity to give Microsoft information about me and my computer use, including Cortana, except that I said Yes to the Location tracking option on this desktop computer. CNET (2018) said I should have turned that off too and, as noted below, eventually I did. Aside from concerns about Microsoft itself, there was the risk that a hacker might gain access to information that had been conveyed to Microsoft. Finally, I set a password by going into Win-I > Accounts > Sign-in options > Password. At this point, no security questions were required.

Preparing to Go Online

Some sources (e.g., Hackernoon) recommended postponing the Internet connection until many protective steps had been taken to prepare the machine for the world’s threats. I believed this was probably a superior approach, from a security perspective. It was probably even essential, for an enterprise or high-visibility individual (e.g., politician, celebrity). But for my purposes, an Internet connection was pretty much baked into Windows setup. For example, the advice to install and configure antivirus software before going online made sense — except that some antivirus providers, including the top-rated Bitdefender that I intended to use, required an Internet connection during installation. In that regard among others, my experience was that an attempt to configure a Windows installation would soon have me going online, ready or not. At this point, my strategy was therefore to get ready for the online connection and then go ahead with it. For this purpose, before enabling the Internet connection, I proceeded as follows:

  • Software Firewall. I verified that the default Windows Defender Firewall was running via Win-I > Update & Security > Windows Security > Firewall & network protection. TechRepublic advised keeping the defaults unless I had an informed reason for doing otherwise.
  • Router and Network Firewall. How-To Geek (Hoffman, 2017) said the router typically functioned as a hardware firewall. To see whether the router had a built-in firewall, Lifewire (O’Donnell, 2019) essentially suggested consulting its documentation, or looking it up online, and entering its default IP address (e.g., 192.168.1.1 for ASUS) into the address bar of the browser (e.g., Firefox), using a computer connected (via ethernet or WiFi) to that router. Upon reaching the router’s webpage, O’Donnell said to look for a configuration page labeled Security or Firewall; and on that page, look for an opportunity to enable it. Elsewhere, O’Donnell recommended running Gibson’s ShieldsUP test to verify that the hardware firewall was functioning properly. The ShieldsUP webpage said that it would conduct benign probes of my network. That webpage also provided a machine name associated with my current Internet connection, and said that this machine name would persist if my Internet provider assigned me a fixed address, and thus could be used to identify me online. Taking Gibson’s advice, I copied down that machine name and made a note to check back later and see if it was unchanging — in which case apparently it would indeed be providing a constant link among the various places I went and things I did online. Anyway, I clicked Proceed, on Gibson’s page, and then clicked GRC’s Instant UPnP Exposure Test, and then returned to the previous page and ran the File Sharing test, and then returned again to run the Common Ports test. Everything was OK except the last returned a Ping Reply failure: hackers looking to verify the existence of this network could apparently use ping commands to do so. A Symantec discussion indicated that the ping response was coming from the router, not from my computer. In that case, it seemed it would not help to create an inbound rule to handle this in my software firewall.
  • Antivirus. Among the steps recommended by the U.S. Department of Homeland Security (2018), a major concern at this point was to install antivirus software. I decided to rely on Windows Defender Antivirus, already included in Windows, for the short time until I did get my preferred antivirus installed. To make that gap as short as possible, for reasons indicated in the security post, I chose Bitdefender Free. I downloaded the Bitdefender installer on another computer, put it onto a clean USB drive, plugged it into the target computer, and prepared to run it. It could be counterproductive to try to run it at this point. In the worst case, without an Internet connection, not only would the installer fail to install; it would also disable the default Windows Defender antivirus before failing.
  • Password Manager (PM). The security post contains information on PM software. Some PMs offered downloads that might be at least partly installed before going online. That was apparently the recommended way to install LastPass, which I used, though LastPass (like other PMs) was also available as a browser plugin. PMs could offer many configuration possibilities, some of which could enhance browsing security significantly. A section of the security post details my own configuration choices. To some extent this configuration might not have to be repeated in a later installation, if the browser’s sync feature saved the PM’s settings.
  • Anti-Keylogger Software. As detailed in the security post, the news on antikeylogging software was not great. There were certain precautions (e.g., a keystroke encryption tool like Ghostpress; a virtual keyboard like osk) that could be turned on to enhance security for some purposes; but sources seemed to point toward spending money on a good security suite rather than on a dedicated anti-keylogger. It appeared that, so far, the more extreme keylogging possibilities (e.g., recording the sound of the keyboard, so as to reconstruct passwords) were primarily found in the laboratory and/or in high-end espionage.
  • Windows Updates. The security post provides a more extensive discussion of risks and options for Windows updates. Briefly, there was a tradeoff between the desire to have up-to-the-moment security updates and the unfortunate reality that Microsoft itself was the world’s largest producer of malware, insofar as its security updates had repeatedly caused considerable disruption and damage to users. The practical albeit imperfect conclusion for a security-conscious user who wanted to get work done without undue disruption in version 1903 seemed to be as follows (for Win10 Pro; the security post offers somewhat different steps for Win10 Home, as well as alternative suggestions if this method ceased to work in Pro): go into Win-I > Update & Security > Windows Update > Advanced Options. There, turn on the options to “Receive updates for other Microsoft products when you update Windows” and “Show a notification when your PC requires a restart to finish updating,” but turn off “Download updates over metered connections” and “Restart this device as soon as possible when a restart is required ….” Also, for those who shared my preference for a regular schedule, pause updates until the fifth of the following month, and (on my personal calendar software) set a reminder to revisit these Advanced Options on the first of the month. Then, under the heading, “Choose when updates are installed,” set a delay of 365 days for feature updates and 15 days for quality updates. Apparently the safest route was, still, to avoid ever clicking the Check for Updates button. If these measures didn’t work or weren’t sufficient, the background notes post contained further information.

Having taken those steps, I was ready to go online. I undid the preventive steps described above, so that now the computer could connect with the Internet. I right-clicked on the Internet icon in the system tray (i.e., the area at the right end of the taskbar (i.e., the bar running across the bottom of the Windows screen)) > Open Network & Internet settings > Show available networks > connect to my Internet provider. Once the Internet connection was established, I took these additional steps:

  • Finish Preliminary Software Installation. With the Internet connection, I could finish installing antivirus and other software mentioned above.
  • Metered Connection. I went to Win-I > Network & Internet > Status > You’re connected to the Internet > Change connection properties > Set as metered connection > On. Then I went to Win-I > Update & Security. It did not indicate that the system needed any more updates, but I would want to look at this again later.
  • Activation. I went into Win-I > Update & Security > Activation to verify that Windows was activated.
  • Backup. The security post contains an extensive discussion of drive D (data) backup possibilities. It was not advisable to proceed further here without a solid data backup scheme. This post contains some references to drive C imaging. Possibly the images discussed here will be sufficient for drive C for the time being.
  • Passwords and MFA. Although this post does not attempt a recap of the security post’s discussion of password issues, this was a good opportunity to visit Have I Been Pwned? and — upon discovering that one’s email address, various passwords, and personal data have probably been sold multiple times on the Dark Web — to start implementing multifactor authentication (MFA), probably in its common two-factor authentication (2FA) form. As with the credit/debit card and its accompanying PIN, both of which were typically required to make a purchase at the store, MFA would require more than digital entry (e.g., a password) to accomplish various things on the computer. Tools and websites varied in their support for MFA. For example, most Windows machines did not support MFA at the level of the BIOS password, nor did VeraCrypt or the Windows login screen support genuine MFA; but most password managers and many sensitive websites (e.g., banks) supported at least some forms of MFA. Based on the user’s preferences, on the options provided by various tools and websites, and on consideration of various risks and features, most users would probably adopt a mix of MFA methods — perhaps using a hardware token in some places, an authentication app in others, maybe even a printed document sometimes. Possibly the best strategy was to begin using MFA wherever it was offered, making sure not to compromise the authenticator, nor to misplace it without backup — and thus start to become familiar with the best options for one’s own situation.

Pre-Program Tweaks

Now that I was online, I could proceed to build a stable system. Once that effort was complete, I could create a drive image. I would be able to restore that image, taking me back to my solid baseline system, if the system became unstable at some later date. Obviously, I wouldn’t want to include anything unstable or experimental in this image. But I also wouldn’t want to leave out stable software or system adjustments. If I did, then I would have to reinstall that software and re-create those tweaks, every time I restored the baseline image. I didn’t expect to install the baseline image often, but I knew that, sometimes, for various reasons, a Windows installation could become unstable or uncooperative, and then the drive image would save me a lot of do-over installation and configuration work.

In the following discussion, note that specified Control Panel items were visible by going to the upper right corner of Control Panel and choosing View by: Small icons. The Control Panel itself was available via Win-R > control. Windows File Explorer was available via Win-E. Percent signs (%) were used to indicate environment variables. Several such variables were potentially relevant here. First, in a default installation, the Windows 10 %windir% variable normally pointed to C:\Windows — but if the Windows folder was located elsewhere, entering %windir% into the address bar in File Explorer would find it. For these, this post just uses the simpler, functionally equivalent C:\Windows. Second, %programdata% pointed by default to C:\ProgramData and there, again, this post uses that simpler and more explicit address. The situation was different, however, where the name of a particular user came into play. On my computer, entering C:\Users\Ray (Admin) would take me to the home folder for this account that I was configuring — but on someone else’s computer, that address wouldn’t work, because it wouldn’t have a Ray (Admin) account. Instead, we could just refer to %userprofile% and that would take us to the user’s home folder — which might be C:\Users\Ann on some other computer. So, in this post, if I wanted to refer to a home folder address that will work for almost everyone, it was more useful to refer to %userprofile% than to C:\Users\Ray (Admin). The %userprofile% folder also had some subfolders, including particularly Appdata — which, typically, would be C:\Users[user]\AppData — and %userprofile%\Appdata had three subfolders of potential interest here: Local (%localappdata%), Roaming (%appdata%), and LocalLow (%userprofile%\appdatalocallow). So when this post provides addresses containing those variables, users should be able to copy and paste such addresses without typing, in order to find the cited folder.

There were many possible customizations that I had found useful, that I could undertake at this point without imposing a risk of destabilizing the system. Here were the changes I wanted to see at this startup point. Note that some possible tweaks were deferred, for now, because they were better done after installing programs.

  • Device Manager. Once updates were done, I went to Win-R > devmgmt.msc > resolve any items needing attention. In this case, there were none.
  • Taskbar. I right-clicked on the taskbar > Taskbar settings > set only these items to On: Lock the taskbar, Use small taskbar buttons, Use Peek to preview the desktop, Replace Command Prompt with Windows PowerShell. Combine taskbar buttons when taskbar is full. Then, on the taskbar, for each unwanted icon, right-click > Unpin from taskbar. For the remaining items, right-click > uncheck Show Cortana and Show Task View buttons (because Show Task View did not seem to improve much on the simple Win-Tab option.) For programs whose icons I wanted to remain available on the taskbar even when the program was not running, I right-clicked on the taskbar icon (when the program was running) > right-click > Pin to Taskbar. For programs that did not offer that right-click option, a workaround was to create a shortcut to the .exe or other file that ran that program, and then drag that shortcut to the taskbar or put it in %appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar.
  • Screen & Power. A laptop would have different and probably some additional settings. But on this desktop computer, I went to Win-R > control > Power Options. I probably should have just chosen the High Performance plan, here, but instead I went to Balanced plan > Change plan settings > Change advanced power settings. In that area: Hard disk: Turn off after 240 minutes. Sleep: Sleep after 0 minutes; turn off hybrid sleep; hibernate after 600 minutes; disable wake timers. USB settings: disable USB selective suspend. PCI Express: Link State Power Management: Off. Display: Turn off the display: Never. I could still use Win-L to turn on the lock (i.e., login) screen, so as to maintain at least that level of security during this setup process. In the same Control Panel Power Options area: Choose what the power buttons do > Change settings that are currently unavailable > turn off Fast Startup (if that option exists). When I noticed my browsers were unresponsive (until a reboot) after I was away from the computer for a few hours, I made a few additional changes: ncpa.cpl > right-click on the network connection being used > Properties > Configure button > Power Management tab > uncheck “Allow the computer to turn off this device to save power.” Likewise, in Win-R > devmgmt.msc > Universal Serial Bus controllers, for each USB Root Hub > right-click > Properties > Power Management tab > uncheck the same thing.
  • Snap. To control annoying behavior of the Snap feature (e.g., scrambling icons on the right side of the screen when I used Win-Left Arrow to align a window on the left side of the screen), I went into Win-I > System > Multitasking > keep Snap on but turn off its three subordinate options.
  • Settings: System. Elsewhere in Win-I > System, I made several changes. Display: Night light: on. Adjust display resolution if needed. Storage: Storage Sense off. Shared experiences: turn off Share Across Devices. About: Rename this PC. Clipboard: turn on Clipboard History for convenience, or turn it off for security; likewise for subordinate options (e.g., syncing the clipboard); use Win-V to open and edit clipboard history if enabled.
  • Settings: Devices. Bluetooth & other devices: temporarily turn on “Download over metered connections” to eliminate “Setup incomplete because of metered connection.” Then turn off after setup completes, typically in just a few moments. Typing: Spelling: both off.
  • Settings: Network & Internet. Status > Change connection properties: optionally set to Public, metered connection. Wi-Fi: turn off Hotspot 2.0 networks.
  • Settings: Personalization. Background: choose a picture, at least for now. Colors: Show accent color (my preferred color: desert) on both. (Classic Start Menu, below, would affect the final appearance.) Lock screen: to erase items under “Choose which apps show quick status on the lock screen,” click on the unwanted item and replace it with one of the items already appearing in the list. (In other words, the list will not show two of the same thing.) I wound up with just Calendar and Weather. To set the weather location: Win-I > Privacy > Location > Default location > Set default > use the map (it wouldn’t recognize city name or zip code for me). Optionally, Win-I > Privacy > Location > Allow access to location on this device > Change > On, and then (in the same place) Allow apps to access your location > On > turn on Weather. The weather lock screen option required a reboot to work correctly. Themes: one possibility was Cheng Ling’s Taiwan Culture Sketches, but it would have to await a Microsoft account login.
  • Settings: Time & Language. Date & time: Set time and time zone automatically.
  • Settings: Gaming. Game bar: Off.
  • Settings: Ease of Access. Keyboard: turn off everything except the two “Make it easier to type” items.
  • Settings: Privacy. Turn off almost everything, on all tabs (e.g., General, Speech …). It was surprising to see the number of ways in which Windows, by default, was observing user activity and/or allowing third-party apps to do so. Turn items back on if/as needed. One item to turn back on: Privacy > General > Let Windows track app launches to improve Start and search results. (That one allowed Win-R to remember previous entries, which was very handy.) Two other items to leave on: Background apps: Let apps run in the background, and File system: Allow apps to access your file system (but disallow specific apps as desired).
  • Settings: Update & Security. Windows Update: see above. Delivery Optimization: turn off “Allow downloads from other PCs.” Windows Security, also Troubleshooting: verify that no immediate actions are needed.
  • Intel Rapid Storage Technology (RST) (if offered in Control Panel). According to Intel, RST provided multiple benefits even on systems using one SATA or PCIe drive, including higher performance, lower power consumption, and enhanced protection against data loss (ditto Gizbot). Wikipedia‘s writeup seemed to focus on RST’s benefits for RAID (ditto SuperUser). Users said it could be a hassle (e.g., WD Community), with higher idle CPU temperature and usage (e.g., Republic of Gamers). Others (e.g., Samsung Community, Fernando) said it improved performance. There did not presently seem to be a compelling reason to install it. But perhaps it was already installed and running. When I clicked on this item in Control Panel, I got an information panel that was not highly informational, that seemed to be just reporting on how my system was faring with RST.
  • Control Panel: Keyboard. If the keyboard repeated the same key unexpectedly, make the repeat delay slower.
  • Control Panel: Mouse. Slow the double-click speed. Set Ctrl to show pointer location.
  • Taskbar: Elevated Command Prompt. To create a taskbar icon for an elevated command prompt, Winaero described a method that used Task Scheduler to bypass User Account Control (UAC) prompts. The more secure method, requiring those prompts, was as follows: in an empty space on the desktop (either the actual desktop or the Desktop folder in File Explorer), right-click > New > Shortcut > location = cmd.exe /k > Next > name = Elevated CMD > Finish. Then go to desktop (or to the Desktop folder in File Explorer) > right-click on new shortcut > Properties > Shortcut tab (selected by default) > Advanced button > Run as administrator > OK > OK > move the new shortcut to the preferred folder, or just leave on desktop > double-click on (i.e., run the) new shortcut > right-click on taskbar icon for new shortcut > Pin to taskbar > right-click on CMD window’s title bar > Properties > Font tab: I kept the default. Layout tab: for default font on a 1920 x 1080 monitor, Windows Size = 85 x 63; uncheck “Let system position window”; then I could set Windows Position = -4 x 0. Colors tab: set as desired (see Super User re using Paint or Instant Eyedropper (IE) to identify colors in Google search images; e.g., I set IE to RGB and produced 166,48,83 for Screen Background = dark magenta; adjust Screen Text accordingly). Then OK > close window. Note that these settings may be established only after a restart. See also my post on creating a taskbar button for special purposes.
  • Taskbar: Task Manager. Win-R > taskmgr > More Details > snap to left margin (i.e., Win-Left Arrow) > right-click on taskbar icon > Pin to taskbar.
  • File Explorer. I arranged my columns as desired (including right-clicking on column headings) and then went into menu > View > Options. On General tab: Open File Explorer to This PC. At the bottom > Privacy section > uncheck both items. View tab: display the full path in the title bar; don’t hide empty drives, extensions, folder merge conflicts, or protected operating system files; do restore previous folder windows at logon; don’t show pop-up descriptions for folder and desktop items; in navigation pane, expand to open folder; don’t show all folders. Finally, at the top of the View tab, I clicked Apply to Folders. I did previously have File Explorer set to show hidden items for some time; but for a reason explained at the end of another post, eventually I changed that. (An alternative not explored: OldNewExplorer.)
  • Drive and Folder Properties. In File Explorer, in the navigation (left-hand) pane, I right-clicked on each drive (except drive C) > Properties > General tab > uncheck “Allow files on this drive to have contents indexed” > Sharing tab > make sure that drives were not shared > Customize tab > Optimize this folder for Documents > Also apply this template to all subfolders > OK. If asked, “Apply changes to drive X:, subfolders and files” > OK > Ignore All errors (where applicable). Drive C did not offer all of those options. I could take the same steps in the top-level folders of drive C, where the options did exist, but I suspected overdoing that could destabilize the system.
  • Enable Audio Capture. Windows 10 did not necessarily offer an option to record the sound coming out of the computer’s speakers or headphones. To record audio (including the audio accompanying a video capture), I used a cheap splitter (so that both the computer and I could hear the audio) and a male-to-male cable (so that I could feed the computer’s side of the splitter back into the computer’s microphone or line-in jack). (See How-To Geek 1 and 2 regarding the older Stereo Mix option.)
  • Reduce Paging File Size. As detailed in the security post, the page file (i.e., pagefile.sys) could retain sensitive information for potential recovery by an intruder. Sources (e.g., TechRadar, Tech Advisor) recommended not trying to save space by minimizing the pagefile: without it, the system would crash if a program required more memory than was currently available. But with 24GB RAM and drive C on an SSD, I believed this system would be among those that did not need a paging file. To be on the safe side, I decided to keep a minimal paging file: Win-R > SystemPropertiesAdvanced > Advanced tab > Settings > Advanced tab > Virtual memory > Change > uncheck Automatically manage paging file size > select drive C > Custom size (initial and maximum) = 800MB > Set > OK. The change was effective only after a reboot.
  • Recycle Bin. To reduce recoverable information beyond what was likely to be useful, I went to the desktop > right-click on Recycle Bin > Properties > General tab > uncheck “Display delete confirmation dialog.” Then set Custom Size for each drive. For large drives, I chose a size of 10240MB (i.e., 10GB).
  • “Someone Else” Warning. When logging out, I noticed I was getting a warning, “Someone else is still using this PC. If you restart now, they could lose unsaved work.” But nobody else was using the system. The solution seemed to be, for each account on the system, to use Win-I > Accounts > Sign-in options > Turn off “Use my sign-in info to automatically finish setting up my device …” > reboot.
  • Disable Microphone and Webcam. If these devices were not needed, they were best physically removed or at least disabled or disconnected, to prevent hackers from using them to spy on the user. Although hackers were reportedly able to change Device Manager settings, I gave it a try: devmgmt.msc > expand Cameras and Microphones (or Audio inputs and outputs) (if available) > right-click on the specific item > Disable device. Also, Control Panel > Sound > Recording tab > Microphone > right-click > Show Disabled (and Disconnected) Devices > right-click on any microphones that are not already disabled > Disable. The security post mentions some software alternatives.
  • Turn Off Windows 10 Search Indexing. I planned to use Everything for filename indexing. To search for text within file contents, I had used Copernic Desktop Search, but then it had problems. Same with Lookeen. But whatever I chose, multiple sources indicated that the built-in search feature in Windows was not a serious contender. gHacks (Brinkmann, 2017) said, “Generally speaking it is a good idea to turn Windows Search indexing off if you don’t search often, or use a different desktop search program for that instead” because Windows Search indexing “may cause big performance issues,” with extra battery use on a laptop. (The default index database location was reportedly at %ProgramData%\Microsoft\Search\Data.) To eliminate the burden of Windows’ built-in file content indexing, with guidance from WindowsReport (Tyrsina, 2017), in File Explorer > right-click on a drive > Properties, I had already unchecked “Allow files on this drive to have contents indexed in addition to file properties” (above). To complete the job, now I ran Win-R > control > Indexing Options > Modify > uncheck all locations; then I ran sc stop “wsearch” && sc config “wsearch” start=disabled. Apparently it was OK to get “ControlService FAILED 1062: The service has not been started.” But one time, when I tried that, I got an “Access is denied” error. I had to use the manual approach: Win-R > services.msc > double-click on Windows Search > change Startup Type to Disabled and click Stop. I had to click Stop twice to kill it. Now the Indexing Options dialog said, “Indexing is not running,” and there were no Included Locations in the list.
  • C:\Cache. I created this folder, with subfolders for certain programs, to have a one-stop location for cache files. I would designate this location while tinkering with settings on some of the programs I was about to install. This folder would also prove useful when I was looking (below) for unnecessary materials I could jettison, so as to make space on drive C and/or reduce the size of backup images of drive C.
  • STARTUP.BAT. The contents of the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder would run automatically at startup. Various programs added links to that folder. I made my own addition to that folder: using Notepad, I created a batch file called STARTUP.BAT, containing the following lines, some of which would not be operational until later:
:: STARTUP.BAT

echo off
cls
echo.
echo.
echo Start by mounting data drive in VeraCrypt.
echo.
echo.
pause
cls

:: These programs do better if their startup is delayed until after
::   the preceding lines. For these commands to work, I need to put
::   a shortcut to each such program's .exe file (e.g., a shortcut to
::   Firefox.exe) into C:\Windows.
start Firefox
start Chrome
start Everything

:: Alternate way of starting a program.
start "" "C:\Program Files\BOINC\boincmgr.exe"

:: Kill certain programs (i.e., Skype, Glary Utilities) that insist 
::   on running at startup.
taskkill /f /im skype.exe
taskkill /f /im integrator.exe

:: Run the hourly batch file at startup too.
explorer "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tools\Batch & Startup\Scheduled Batch Files\HOURLY.BAT"

.

Program Installation

Having made those tweaks, I could proceed with program installation. I began with the list of programs that I found useful on my Windows To Go (WTG) drive. As indicated in the post discussing that drive, I kept copies of those programs (in installer and/or portable form) on a USB drive named PORTABLES. I preferred installed over portable versions especially for programs where I wanted filetype associations to stick. For example, to keep IrfanView as the default opener for JPG files, I found the installed version superior. But for infrequent use, using a portable could be easier than installation, and could also reduce the system load of countless little background processes that program installation often entailed.

Generally, when installing programs, I went with default settings. One exception was that I tried to disable context menu entries, if given a choice, unless I knew I would use them. Also, when given a choice, I opted to install programs for all users, rather than just for the current user. I installed many programs. Most did not require any particular notes — or, in a few cases, were the subject of one or more detailed discussions in this blog. The following notes focus on a few programs that seemed to call for particular attention.

Note that, in some instances, I had to run the programs, and maybe work on certain kinds of files, to complete the program configuration. For instance, I might work on a sample spreadsheet to bring out various settings in Microsoft Excel. The files that I would use, for this purpose, would not be files containing any sensitive information, because their existence or contents might be preserved in the backup drive image, which might not be stored on an encrypted drive.

I did not use an automated program installer, or package manager, to install software. At present, in preferred order, the best package managers appeared to be Chocolatey, Ninite, and Windows Remix. I was used to installing from the individual programs’ installers, and tweaking the installation as desired where permitted. I did run Patch My PC Updater after installing the following programs because, in their words, PatchMyPC “keeps over 300 apps up-to-date on your computer.” I chose its Options > Enable Download Only Mode, so that I would have the latest installers. I unchecked some of the updates it had identified, because the version numbers had changed so very little (e.g., from version 6.2.2979 to 6.2.2982). Then I clicked Perform Updates. It downloaded the installers to C:\PatchMyPC\Updates. Then I closed PatchMyPC, expecting to save and run those updates. But closing PatchMyPC also instantly closed that folder. Now Windows said it was unavailable. I ran PatchMyPC again. That folder was empty: it had to re-download all those installers. This time, I copied them out of that folder before closing PatchMyPC. Then I was able to run them to install the updates.

Later, I would find CloneApp useful for restoring settings automatically. But there were caveats:

  • I had to prevent CloneApp from including Windows documents and desktop. That is, I had to make sure it was focused on specific apps. Otherwise, it would include (potentially many GB of) data files in its backup. This was especially a problem with the junctions that I used to replace Windows default user folders (below).
  • If CloneApp was going to restore my preferred settings, I would have to set those up in the first place. So, for me, the best approach was to configure the programs after initial installation, maybe by working on a small and minor document or file. I say that because I found that CloneApp would also try to include potentially large numbers of Microsoft Word files (among others) in its backup, if it found any record of or reference to them. So, using that example, I just wanted to open an empty Word doc, use it to check and adjust my preferred settings, and then close it, realizing that CloneApp might try to save whatever I opened or used.
  • CloneApp failed to detect and save settings for some pretty significant programs, including most Adobe apps.

CloneApp would only be useful if it was saving my own custom settings, as distinct from program defaults. So before using CloneApp to save an ideal system’s settings for its various apps, I had to run those apps and change those settings as desired. I didn’t attempt to record, here, every last little setting I changed. But here are installation notes on some of the programs I installed:

  • VeraCrypt. I ran the installer from PORTABLES. Then I ran VeraCrypt. I went into its menu > Settings. Note the options to Auto-Dismount when the screen saver was launched, the user session was locked, the system entered power-saving mode, or no data was read from or written to the drive within a specified period. I enabled the option to use Secure Desktop just in case that would defeat a keylogger. I declined to display the password being entered, when VeraCrypt gave me that option, partly for the same reason, and partly to discourage copying and pasting or long passwords, which could add them to RAM and make them available to DMA and Cold Boot attacks. I also turned on “Wipe cached passwords on exit.” Then, before mounting any drives in VeraCrypt, I went to Win-R > diskmgmt.msc > change drive letters for any drives whose letters would get in the way of VeraCrypt volumes, by right-clicking on the drive > Change Drive Letter and Paths. Encrypted drives should have no drive letters assigned until they were mounted in VeraCrypt. If they did have drive letters in Disk Management, the solution in Change Drive Letter and Paths was to click the Remove button. If the desired drive letters were not visible now in VeraCrypt, reboot. Then mount VeraCrypt volumes to make sure they worked and were available as needed for further installation steps. (The topic of encrypting drive C comes later.) Then, for each mounted drive, VeraCrypt > menu > Favorites > Add mounted volume to Favorites > select the drive > “Use volume ID to mount favorite,” add a label, and check “Use favorite label as Explorer drive label.” Also, if applicable, “Mount selected volume upon logon.” To revise settings, menu > Favorites > Organize favorites volume > select the desired drive.
  • VPN. As described in the background notes post, I decided to try the free version of ProtonVPN for improved security when accessing sensitive websites. Setting up a ProtonVPN account on another computer gave me an installable Windows client download.
  • Everything, the file finder, was very useful from the start. I made a few adjustments. In Everything > menu > Tools > Options, I went to General > turn off Start Everything on system startup (because, unless I had VeraCrypt set to decrypt my data drive immediately on bootup, I could not decrypt that drive fast enough, and the Everything.db database file would therefore get confused). Instead, I added a line to STARTUP.BAT (above) to delay startup and, when necessary, I went into Everything > menu > Tools > Options > Indexes > verify cache location > Force Rebuild button. The configuration file (i.e., Everything.ini) contained my saved settings, so I ran Everything itself, searched for that file, and replaced its newly installed version with my previously saved version. Then I went into Everything > menu > Tools > Options > Indexes > Browse for database location > C:\Cache. Other Everything settings included Ctrl-Shift-V as hotkey (possible alternatives included Win-V or AvaFind‘s Shift-Esc).
  • WinRAR and 7-Zip. The built-in Windows file zipper failed to handle some kinds of compressed files. I also appreciated the options in WinRAR, for which I had bought a license. File zipping was essential, because various program installers would arrive in zipped form, or I would want to zip some installers for various reasons. Since I already had WinRAR, I wanted only limited context menu options from 7-Zip. I went into its menu > Tools > Options > 7-Zip tab. There, I left checked all of the five items on top except “Icons in context menu,” and I unchecked all of the Context menu items except Open archive, Extract files…, Test archive, and Add to archive…
  • Firefox. After installing Firefox, I went to its Options area by entering about:preferences into its address bar. (This was equivalent to using its hamburger menu (i.e., an icon consisting of three short horizontal lines, located at the right end of the address bar) > click > Options.) In Options, I went to Sync > log in. Syncing brought in most settings, add-ins, etc. This made setup simpler. As discussed in the security post, it also brought in every security violation that add-ins and previous settings could entail. This paragraph focuses on functional adjustments; a later section addresses security considerations. In the Firefox Options > General > Performance area, Firefox instability had previously inclined me to turn off “Use recommended performance settings,” so as to turn off “Use hardware acceleration when available.” To see whether Firefox was using excessive RAM, I ran taskmgr. It wasn’t; but if it had been, Windows Report had suggestions. When restarting, Firefox asked if I wanted it to be my default browser. I said yes. That opened Win-I > Apps > Default apps > Web browser. Firefox was not offered. I went down to the Set Defaults by App option > Manage > choose an app for each of the file types listed at left (e.g., .htm, .html). To save open browser tabs, pending an updated version of Session Manager, I was using MySessions and Tab List. To display the Firefox menu bar, I went to hamburger icon > Customize > Toolbars > Menu Bar. I was also able to turn off Title Bar at that same location. To set the Firefox home page, I had to go to the desired page and then drag its address bar icon onto the Home icon. To configure Firefox to open a new tab for search results, I went to the Firefox address bar > about:config > search for browser.search.openintab > double-click that (to set it to True). To do likewise for addresses pasted into the address bar, it was browser.urlbar.openintab. To make related tabs open to the immediate right, and unrelated tabs open to the far right, it was browser.tabs.insertRelatedAfterCurrent = true and browser.tabs.insertAfterCurrent = false. To make Firefox switch to the tab immediately to the right after closing the current tab, I used the Select After Closing Current add-on, with the first entry set to Position = Right and Relation = tab. To make Firefox load all tabs immediately (rather than on demand), I set these three to false: browser.sessionstore.restore_on_demand, browser.sessionstore.restore_pinned_tabs_on_demand, and browser.sessionstore.restore_tabs_lazily. To move the Firefox cache to C:\Cache\Firefox, as advised, I searched about:config for browser.cache.disk.parent_directory. It didn’t exist, so I created it by right-clicking on empty space in about:config > New > String > paste browser.cache.disk.parent_directory. When it said, “Enter string value,” I entered C:\\Cache\\Firefox (note the double backslashes). A new cache2 subfolder was created in C:\Cache\Firefox as soon as I closed and restarted Firefox. Some said that a large cache could slow down a system, but that seemed to be especially true for older systems. The countervailing concern was that, with Firefox set to load all tabs, and with my habit of keeping many tabs open, better performance might call for a larger cache (assuming sufficient free disk space). As advised, I began by making sure browser.cache.disk.enable was true; then I checked browser.cache.disk.capacity. It was already set at 1048576, so I didn’t increase it by right-clicking on that entry > Modify. Note also the option of increasing offline cache at browser.cache.offline.capacity. On a machine with more RAM, dom.ipc.processCount could reportedly be raised from the recently raised default of 8 to as high as 15, apparently indicating the number of tabs actively managed at any moment. From a security perspective, note that a larger Firefox cache could store more detail on the user’s browsing history. For instance, using Nirsoft’s MZCacheView, after designating cache2 as the target folder, I was able to view the contents of a cached webpage, in Internet Explorer, by right-clicking on a file of the “text/xml” Content Type. For all browsers, consider enabling Click to Play.
  • Google Chrome. I started with the download page. (As with Firefox, security considerations are discussed below.) Once installed, I went into Chrome’s menu (i.e., three vertical dots at the right end of its toolbar) > Settings > turn on Sync, and configure other items as desired. In its Advanced settings, among other things, I set my desired file download location. I did the same in Edge’s menu, and also set Google as the default search engine. To save my open browser tabs, I used Please, Save My Tabs! To get rid of Chrome’s “Pages Unresponsive” error, I went to Settings > Advanced > System > turn off hardware acceleration. To limit Chrome’s cache, as advised, I went to Chrome > right-click on Chrome icon in taskbar > look at the menu now opening from the taskbar > right-click on the Google Chrome entry in that menu > right-click on Properties > go to end of Target field > add a space and then add –disk-cache-size=1000000000 > OK. (Note: that’s a one followed by nine zeroes, for not quite 1GB. Larger or smaller amounts may be appropriate, depending on space. Also, in case it’s not clear from the font on this webpage, that addition begins with a space and two hyphens, not one dash. Generally, if in doubt about such items, copy them to Notepad, where the characters may be clearer.) Unfortunately, there was no setting to move the cache in Chrome, and in the words of Dave’s Computer Tips, the manual process could be “a ghastly chore” requiring the use of symbolic links and registry hacks, forcing the user “to jump through a lot of hoops.” The length of one video offering a tutorial was 12:23. To provide more space for the address of the webpage I was visiting, I went to the right edge of the address space and dragged it to the right. This displaced extension icons from the right end of the address bar; I needed to drag those around so that the most used ones were at the left. To clearly distinguish the colors of visited links, I used the Color Links extension (see SuperUser for an alternate approach).
  • Thunderbird. I had arrived at a way of restoring my Thunderbird backup to a new Thunderbird installation. The procedure was to install Thunderbird on the new system, and then use Beyond Compare (or some other directory comparison tool) to match up the two. The focus was on the Thunderbird profile. In each installation, that profile had a unique name (e.g., umb6aa9zq.default). To compare them, I had to change the name of the backed-up profile to match the name of the currently installed profile. Then, in my Beyond Compare comparison, I would see that the new installation mostly consisted of newer (but smaller and fewer) files. I used Beyond Compare to overwrite those. In effect, I had newly installed Thunderbird on Windows 10, and that new installation now functioned as a nearly empty shell into which I copied the old backup. To my great surprise and pleasure, this worked, bringing over not only my complete email setup including folders and emails, but also my Thunderbird extensions.
  • Legacy Start Menu. As detailed in the previous post, the approach here was to install Classic Shell (an alternative: Start10) and then restore my preferred settings by going to Start > All Programs > Classic Shell > Classic Shell Start Menu Settings > Backup button (at bottom of window) > Load from XML file > select previously saved settings > select preferred Start button (optional) > OK.
  • T-Clock. I installed White-Tiger T-Clock Redux to replace the clock in the system tray. Then I right-clicked on the clock > T-Clock Options > Clock Text tab > Tahoma ClearType Natural 8-point bold, line spacing = 2, width = 10, vertical = -1.
  • Calculator. Run Win-R > calc (a/k/a C:\Windows\system32\calc.exe). Resize as desired. Right-click on taskbar icon > Pin to taskbar.
  • Format Factory. After installing, I went to menu > Option > Advanced > uncheck “Add to system context menu.”
  • Microsoft Image Composite Editor. I set the cache location to C:\Cache\Microsoft via the Options (i.e., gear) icon at the upper right corner of the screen.
  • Skype. Now that Microsoft owned it, I had to fight it every time I booted up. Lifewire (Fisher, 2018) said there were several versions, each with its own special path to frustration. For my purposes, one startup window said Let’s go > Sign in or create > Log in > menu (i.e., three dots) > Settings > General > turn off “Automatically start Skype” and “On close, keep Skype running.” See also STARTUP.BAT (above).
  • Notepad. Set File > Page Setup > header and footer as desired.
  • Microsoft Office 2016. I had a batch file line making a daily backup of %appdata%\Microsoft\Office\MSO1033.acl, where my latest Microsoft Word text replacements were saved. (For example, I might define RW as shorthand for Ray Woodcock, to save typing. I tended to add to the collection whenever I used Word for any substantial typing, and did not want to lose those new additions — see previous post.) To restore my latest MSO1033.acl in this installation, I began by running a script to remove the existing set of Autocorrect entries, and then restored my latest MSO1033.acl to the folder(s) on drive C where the now-emptied MSO1033.acl files existed. To prevent Office 2016 from creating a Custom Office Templates directory in some unwanted location, in each Office application I went to File > Options > Save and manually entered a folder path. Settings to adjust in Excel appeared at File > Options > Proofing, Formulas, and Advanced tabs. As indicated in the background post, as of this writing, the “Updates Available” bug had no apparent solution.
  • IrfanView. Per a suggestion from Irfan and previous experience, I installed the 32-bit version for audio playback and the 64-bit version for image viewing and editing. They had to be installed to separate program folders, but that was done by default. Then I installed the accompanying plugin files. Finally, I overwrote the newly installed i_view *.ini files with saved copies of my old 32- and 64-bit .ini files.
  • BOINC. After installing BOINC, I went into its Options > Computing Preferences. I mostly used the defaults, but did tinker with a few things. I declined the option to use webpage preferences for my selected WorldCommunityGrid project. At that webpage, I went into my account’s Settings (upper right corner of webpage) > Device Manager tab > click on Default profile for my computer > Custom Profile. Processor usage: on multiprocessors, use no more than 95% of processors. Disk Usage: use no more than 0.3GB of disk space (because BOINC did not allow me to relocate the cache to C:\Cache) and clear the next two options. Memory Usage: do not leave applications in memory while suspended; Use no more than 50% of memory while computer is idle. Then Save. In Options > Other options, I unchecked “Run Manager at login,” because I found that BOINC started better if I started it via STARTUP.BAT (above).
  • VLC. During installation, along with the other usual choices, I unchecked the Context Menus option.
  • K-Lite Codec Pack (Mega). In the advanced installation mode (“Everything”), I unchecked Explorer Shell Extensions in the first screenful of options, and also unchecked “Add to MPC-HC playlist entry” later.
  • VirtualBox. As detailed in another post, I wanted to use a virtual machine (VM) to enhance security for some activities online. The other post explains why I chose VirtualBox for that purpose, and describes the setup and configuration process.

The background post, and earlier posts cited at the start of this post, contain additional program notes that I did not need in this installation. For purposes of producing a drive image of a good, relatively established system, however, I did want to start each program (or at least each major or frequently used program), restore at least the obvious or readily available preferred settings that I might have saved, and verify that it was ready for use.

As noted above, I was able to relocate the caches to C:\Cache, for some programs generating large caches (e.g., web browsers, video editors). As discussed below, I would set up a process for clearing out those caches periodically, and would exclude them from drive images. I believed it would be easier to achieve those objectives if the various caches were all in that one place (i.e., C:\Cache). As indicated below, I postponed some reportedly risky cache relocation efforts. I chose to put the cache on C, even though life would be simpler with it on another partition (and the cache would be just as fast if that partition were on the SSD), because I didn’t want the program to crash, or revert to another cache location, if for some reason that other partition was not mounted when the program ran.

Post-Program Tweaks

The process of installing and configuring programs provided the need and opportunity for another round of tweaking, as follows:

  • Other Hardware Updates. My Windows Update settings (above) included the option to receive downloads from third parties, but impaired my access to recent updates from those parties. As a point of comparison, I ran Windows Update MiniTool and clicked its Refresh icon. It found several non-Microsoft (i.e., Intel and ASUS) drivers to install. I clicked its Install Updates icon. As another option, I thought I might check my manufacturer’s website, just in case. Speccy observed that I didn’t have a separate graphics card — that I was just using the Intel graphics onboard my system’s motherboad. Intel’s webpage scanned my system and identified a driver update.
  • Settings: Apps. Once programs were installed, I could choose Default apps. Note that this portion of Settings could appear unresponsive: it could take some seconds to get a reaction to a click. It was necessary to choose Default apps, at least in some cases, even if the desired program (e.g., IrfanView) already contained a setting in which the user could choose it as the default program. Even after choosing a desired file association for a particular type of program, it was sometimes necessary to use the Default Apps option. For instance, I had to designate IrfanView as the default .mp3 player.
  • Control Panel: AutoPlay. I used Win-R > control to access these Control Panel items. In AutoPlay, I unchecked “Use AutoPlay for all media and devices.” For blank discs (i.e., DVDs, CDs, Blu-Ray discs), I chose “Take no action.” For movie, audio, and game discs, I chose the Play option. (Having already installed VLC, I chose to play with VLC.) For the remaining items, I chose “Open folder to view files (File Explorer).”
  • Settings: System. Win-I > System: Notifications & actions: turn off everything in the top section except “Get notifications from apps and other senders.” Then configure individual senders: turn on or off, and click on them for more options. Focus assist: Priority only > Customize your priority list. Automatic rules: turn off all. It was apparently not possible to recover a list of past notifications.
  • Classic WordPress Interface. For purposes of blogging, I preferred the old editor in WordPress. To get it back, I had to install the requisite scripting add-on (Greasemonkey in Firefox; TamperMonkey in Opera) and then the requisite script.
  • Remember Window Size & Location. Windows 10 did not seem to remember the sizes and locations of windows moved via Snap. But it did seem to remember manually dragged and shaped windows. To get them to fill exactly half of the screen, any use of Snap seemed to defeat the process. To make them fill the full half of the screen without triggering Snap, I dragged them down a bit from the top edge of the screen, extended them upward as needed, and then guided them into place. Possible alternatives to the same end included free versions of DisplayFusion, AquaSnap, and ShellFolderFix.
  • Permissions. Windows prevented me from copying configuration (.ini) files, so that I could restore a newly installed program to the functioning I had previously configured. This was inevitable: Windows would always, sooner or later, find an excuse to frustrate users who seemed to have all the required file ownership and permissions and yet, for reasons understood by few, were not allowed to copy, move, or change the file. In this case, the message was “Destination Folder Access Denied. You need permission to perform this action.” After a half-hour of repeating various forms of the standard advice to resolve this issue for configuration of Q-Dir, one of my most often used tools, I took the risk of using a third-party utility to fix the problem. Based on nothing more than a suggestion by a participant in a forum, I ran Lallous’s Reset Files Permission tool (archive). TakeOwnershipEx by Winaero was an alternative, discovered later, with more of a pedigree. As an additional frustration, despite setting File Explorer to view hidden files and directories (or so I thought), the folder in question (C:\Users\Ray (Admin)\AppData\Roaming) was still hidden, so I was not able to designate its Q-Dir subfolder as the target for this utility’s operation. So I ran Reset Files Permission on the entire C:\Users\Ray (Admin) folder. That took a long time, and made changes to thousands of system files — leaving me plenty of time to research comments by knowledgeable users who seemed to feel that this sort of action could wreck an installation. So much for cautious measures to set up a solid system! I could only hope that (a) this solved the immediate problem, (b) one of these two utilities would continue to solve similar problems in the future, and (c) I had not completely hosed my installation. We were about to see that, no, in fact, after running for 10-15 minutes and changing everything in the world, Reset Files Permission actually didn’t solve this particular problem. Neither did TakeOwnershipEx, though at least it seemed to make far fewer changes, and was done with its efforts in just a few seconds. But something worked: on a reboot, I was able to copy the files. Unfortunately, at the end of this installation and tweaking process, I did have an unstable system, and this step was one of the most likely culprits. Fortunately, it appeared that the system was repaired by a Repair Install, as described in another post. In a later try, I began by using TakeOwnershipEx and changing properties only on subfolders within C:\ProgramData\Microsoft\Windows\Start Menu.
  • Always Run as Administrator. For at least some programs, at least in this administrator account, I did not want to be halfway through a task and then discover that the program would not take an important step because it did not have sufficient authority. To set a program’s Start Menu icon to always run that program as administrator, I right-clicked on the Start Menu icon > Properties > Shortcut tab > Advanced > Run as administrator.
  • Taskbar. To hide unwanted icons in the system tray (at the bottom right corner of the screen), I dragged them onto the up arrow located at the left edge of the system tray. This put them into the overflow notification pane, visible by clicking on that up arrow.
  • Touchpad Sensitivity. For laptops, the touchpad could be irritating when used with a mouse. At Win-I > Devices > Touchpad, Windows 10 version 1903 offered an option to turn off the touchpad when a mouse was connected. In earlier versions, the only option there was Low Sensitivity. An alternate possibility: Win-R > control mouse > Device Settings tab > Disable internal pointing device when external USB pointing device is attached. Unfortunately, my laptop didn’t have a Device Settings tab. Appuals offered other suggestions, including the third-party Touchpad Blocker utility.
  • Persistent Start Menu. From my previous Windows 10 installation, I had a backup of the all-users Start Menu located at C:\ProgramData\Microsoft\Windows\Start Menu\Programs. I backed it up because (a) it represented a lot of work, sorting program icons into subfolders, and (b) I had stuffed it with portable program files, PDF program guides, links to cloud-based tools, and other materials not normally found in the Start Menu. On this new installation, I had installed virtually every program to its default location — which meant that my saved Start Menu’s already sorted program icons would still work. I didn’t need the newly created program icons that my newly reinstalled programs had added. Therefore, I used Beyond Compare (alternately, FreeFileSync) to compare the backup of my old Start Menu against the icons created by my new program installations, and to copy the old structure back into the new Start Menu; Nirsoft’s ShortcutsMan (alternately, Puran Utilities > Fix Shortcuts) to identify and remove shortcuts that were not working; and DoubleKiller Pro (searching for exact and same-name duplicates) to eliminate unnecessary recreated Start menu icons. There was an optional, potentially risky aspect to this effort. As elaborated in a forum discussion where I posted a question, some knowledgeable people contended that moving or deleting Start Menu entries installed by Windows (e.g., the folders for System Tools and Accessibility) could produce system instability. I had been moving and deleting such entries for years. But this time around, I concluded that they might be right, and (for that all-users Start Menu folder, and also for the current user account’s Start Menu folder at %appdata%\Microsoft\Windows\Start Menu\Programs) I acquiesced in the alternative of setting the properties for unwanted Start Menu folders to Hidden, and setting File Explorer not to show hidden items.
  • System Protection. I wanted to make a System Restore point backup. I used Win-R > SystemPropertiesAdvanced > System Protection tab. For some reason, the list of available drives included one named “Acer (missing).” When I selected it and clicked Configure, I got a dialog in which “Turn on system protection” was grayed out. There were ways of dealing with that. But for me, the solution was to choose “Disable system protection” > OK. That removed the Acer (missing) item and left me free to concentrate on my actual PROGRAMS drive C. I configured it to use 10GB for system restore points. While I was in SystemPropertiesAdvanced, I went to Remote tab > at the top, uncheck “Allow Remote Assistance connections to this computer.”
  • Scheduled Batch Files. Now that I had programs installed, I could configure batch files to run on a schedule. (That is, some of my batch files issued commands to open and use certain programs.) The background notes post contains more information on my batch files. I had already exported backups of the Task Scheduler (taskschd.msc) items that would run batch files. Those exports were in the form of .xml files. So now I could just re-import and configure those .xml files in Task Scheduler. As indicated in the background notes post, I was not able to set them up for all users within the admin account; I had to create, configure, and run them within the intended account.
  • Caches. For any other programs (including portables) for which I had a preexisting folder in C:\Cache (having preserved C:\Cache from a previous installation), I now opened that program and set it to look there for its cache. This included Audacity, CamStudio, CoolEdit 2000, CyberLink, Everything, and ImgBurn.

SSD Configuration

In previous installations, I had already explored configuration of the Samsung SSD on which I had created drive C. If I hadn’t done that previously, I might have wanted to take some of the following steps earlier in the process. I postponed them mostly because I wanted the Samsung Magician software installed first. I had learned not to trust it for actual partitioning, but it did provide useful information. Some might feel it was unsafe enough to defer this section until after making the first drive image.

  • SSD Firmware. As advised, I ran CrystalDiskInfo and looked at its firmware number for my Samsung 850 EVO SSD. It said Firmware EMT21B6Q. Samsung’s website was now offering EMT02B6Q. Was that better? Apparently not: belatedly, I observed that Samsung Magician was telling me the version number, and said it was the latest.
  • SSD AHCI. PCMag said the Advanced Host Controller Interface (AHCI) specification was introduced in 2004. Multiple sources suggested that AHCI would provide a performance improvement over legacy IDE. Even so, PCWorld said AHCI was designed for HDDs, not SSDs. The faster alternative now was apparently NVMe, especially in the PCIe rather than SATA interface. But I didn’t have NVMe hardware. AHCI would apparently have compatibility issues that IDE would not have in some situations. AHCI reportedly offered performance improvements over IDE on benchmark tests; but one source said its real-world performance improvements were not necessarily significant. The Samsung Magician software indicated that AHCI Mode was Activated. The choice between AHCI and IDE was set in BIOS. Sources indicated that AHCI was most easily set before installing Windows. (In my desktop’s BIOS, the setting was in Advanced > PCH Storage Configuration > SATA Mode Selection.) Where Windows was already installed, sources said I had to make a registry change (addressed in Win10RegEdit.reg, which is discussed in more detail below) before making that change in BIOS, to avoid having an unbootable system. But the registry change did not fix the problem for me. Instead, as suggested in TenForums (perhaps with the aid of the registry change), the solution was to go into Win-R > msconfig > Boot tab > Safe boot > OK. Then Win-R > devmgmt.msc > click on the arrow to open IDE ATA/ATAPI controllers > right-click on the controller listed there > Uninstall device > reboot > F2 > change BIOS to AHCI > save and exit BIOS utility > boot into Safe Mode > go back into msconfig and uncheck Safe boot > reboot. The computer then booted into Win10 normal mode; Device Manager showed two controllers; and Samsung Magician said AHCI was activated. (TechRadar said Safe Mode was also available by pressing Shift while either booting or clicking Restart.)
  • SSD Partition Alignment. To determine whether my SSD’s partitions were correctly aligned, How-To Geek (Hoffman, 2016) recommended Win-R > msinfo32 > Components > Storage > Disks > find the SSD in the Value column > scroll down to its Partition Starting Offset. Under my Samsung SSD, the Partition Starting Offset value was 1,048,576 bytes. Now, the crucial question: was that evenly divisible by 4096? A calculator said yes: 1,048,576 / 4096 = 256. (That is, the division yielded a whole number, not a fractional number like 256.3.) If it hadn’t been, Hoffman recommended using a partition editor. For example, in MiniTool Partition Wizard, the solution was apparently to click on the drive > Align.
  • SSD Defragmentation. The nearly universal SSD tweaking advice, anymore, was to leave things alone. Thus MakeTechEasier (Leiva-Gomez, 2018) recommended leaving dfrgui in its default state: turned on for drive C. But it was still worth a look to make sure of the current setting.
  • Wiping SSD Free Space. In principle, as I noted in a previous post, the TRIM function built into SSDs would automatically erase data pertaining to deleted files. In practice, as I found in 1 2 other posts, it did not necessarily work that way. To determine whether TRIM was at least supposedly operational, the advice was to run fsutil behavior query DisableDeleteNotify. That produced “NTFS DisableDeleteNotify = 0,” signifying that TRIM was enabled, consistent with the indication provided by the Samsung Magician software. I also got a response regarding ReFS, but I had no drives formatted in ReFS, so I disregarded that. As discussed in another post, it could be difficult to wipe either an entire SSD or its free space. A different post indicated that it was not necessarily clear how much data, supposedly recovered from free space, was actually coming from files currently existing on the SSD. To protect against the possibility that TRIM was not performing as claimed, a second line of protection could entail using Heidi Eraser or other free space erasing options to overwrite unused space. If the system partition on the HDD was not too large (so as not to keep the HDD working constantly), the user could put a copy of the Sysinternals SDelete.exe file in C:\Windows (so that the command line would recognize sdelete commands), and then (per gHacks) add a command to a batch file scheduled to run regularly (e.g., daily, weekly, monthly): sdelete -z X: where X was the drive being cleaned. On a drive with 100GB of free space, that would be a command to write 100GB of data (specifically, zeros). This would obviously best be scheduled for a time when the drive was not being used. The hope in this case would be that, as some claimed, repeated overwrites would substantially eliminate recoverable data from an SSD as well — but note the Update, near the start of a previous post, on the difference between ordinary and forensic concepts of data recovery. Alternately, as detailed in another post, a user seeking a relatively certain way of insuring that deleted data was really gone could create an intelligent (i.e., not sector-by-sector) drive image onto another drive, use a relatively final method of drive wiping (e.g., Secure Erase), verify that files (if not file fragments) could not be recovered, and then restore the drive image. In that scenario, free space really would be free.

Here, again, the background notes post had comments on a few additional (but deprecated) SSD tweaks.

Drive Image: Reducing Sensitive Data

At this point, I had constructed a working and relatively configured system. One objective had been to avoid doing things that might render this installation unstable. Another, somewhat conflicting objective, had been to install and configure as much as possible, so that production of a final and complete installation would not require a terribly large amount of additional work, if at some point I did have to restore an image of the system in its present condition. There had also been a conflict between the objectives of getting as much done as possible without entering passwords, opening sensitive data files, or taking other actions that might leave recoverable information on the resulting drive image, in case I found it necessary or convenient to keep this first image on an unencrypted drive. The system was in fairly good condition in these regards. It was time to make that backup drive image.

A first step, toward making a good drive image, was to verify that I had a stable installation that was worth preserving. Another post describes some efforts to that end. At present, my installation seemed to pass the test. Therefore, the next step was to reduce the amount of information that an intruder could glean from the drive image, if I didn’t encrypt it. In that regard, the first line of defense was not to expose information to Windows in the first place — because, as discussed in the security post, it was as though Windows had been designed to distribute potentially sensitive information. The second line of defense was to delete information that Windows might have collected. As an aid in that effort, MakeUseOf (Lee, 2015) identified a number of Windows caches that users could clear.

That clearing process overlapped substantially with the more general effort to delete unnecessary material (see previous post) in order to free up disk space and produce a smaller drive image. Steps in that effort included the following:

  • Crash Dumps. WindowsReport (Adams, 2019) said that memory dump files could fill gigabytes. If cleanmgr didn’t find them, Adams listed several alternate ways of finding and removing them. I was not inclined to risk his command line suggestions at this point, as I did not fully understand them, preferring instead to leave this task for CCleaner (below); but for posterity I did capture them in this batch file:
:: CRASHDUMPCLEANUP.BAT
:: From https://windowsreport.com/delete-system-error-memory-dump-files-in-windows/#3

fsutil usn deletejournal /d /n c:
del "%temp%*" /s /f /q
del "C:\$Recycle.bin*" /s /f /q
del "%systemroot%\temp*" /s /f /q
vssadmin delete shadows /for=c: /all /quiet
Dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
  • WinDirStat and TreeSize highlighted the amount of space I might save if I could reduce or eliminate, at least temporarily, the very large pagefile.sys and hiberfil.sys files on drive C. My old copy of Acronis True Image Home had allowed me to make drive images that would exclude specific files and folders, but I hadn’t seen such an option in AOMEI Backupper or Macrium Reflect, and a quick look at images made by those two tools confirmed that they were not smart enough to exclude pagefile.sys or hiberfil.sys automatically. I had already set pagefile.sys to be small (above), and for the moment I made it even smaller: 20 MB. To turn off hibernation, I used powercfg /h off. (An alternative was to set Sleep > Hibernate to zero minutes in Control Panel > Power Options.) TreeSize indicated that shrinking pagefile.sys and hiberfil.sys had reduced the size of the installation by about 10GB.
  • Historical Comparison. For later cleanups, after I had been using the system for some time, I could compare selected drive C folders against those captured in today’s drive image. That is, I could mount this drive image, at some later date, to see whether any folders had grown much larger in the meantime, due perhaps to an accumulation of cache or temporary files.
  • System Restore Cache. TreeSize said I had 6.7GB in System Volume Information, the folder used for System Restore Points. I went into SystemPropertiesAdvanced > System Protection tab > select drive C > Configure button > Disable system protection > confirm that I wanted to turn off System Protection. Now TreeSize said System Volume Information was only 49MB.
  • Windows 10 Update Cache. MakeUseOf (Lee, 2015) said that the cache at C:\Windows\SoftwareDistribution\Download could contain many gigabytes of update files that would typically not be needed anymore. He said I could just delete everything in that folder. But I had not updated from a previous version of Windows. The folder had only a few megabytes of files. By way of comparison, in a fresh (i.e., not updated) Windows 7 installation, I saw that folder did contain more than 2GB of material.
  • Windows Store Cache. MakeUseOf (Lee, 2015) said wsreset would empty this cache. I had rarely if ever used the Windows store on any computer, and I also thought CCleaner might have already taken care of this. I ran it nonetheless. After a minute or two, it gave me the Microsoft Store, which was apparently the sign that the process had completed.
  • Domain Name System (DNS) Cache. MakeUseOf (Lee, 2015) said that clearing the DNS cache could fix Internet routing problems and in any event would do no harm. It appeared that the process would save virtually no disk space, but I ran it anyway: ipconfig /flushdns.
  • Browser Cache. I was normally reluctant to clear the browser cache, as a matter of convenience: it stored addresses and cookies that sped up my access to and use of various webpages. But I was more willing to do it, to make the drive image smaller, because recently my browsers had been unusually sluggish — even though I suspected that was due to a Windows system problem. CCleaner (below) offered to do this, but it didn’t do it nearly as well. To completely clean the Firefox history in most situations, the advice was essentially to hit Ctrl-Shift-Del in Firefox > Time range to clear: Everything. History: check all items. Data: I checked everything there too. Then click Clear Now. In Chrome, Google advised the same hotkey (i.e., Ctrl-Shift-Del). I chose Time range: All time and, again, all items > Clear data. That hotkey didn’t work in Opera; instead, they advised Alt-P > Advanced > Privacy & security > Clear browsing data > set parameters. The caches would begin to fill again as soon as I restarted the browsers. Thus, for the drive image, I would want to close the browser before clearing the cache, and not open it (and its open tabs) again until after the drive image was complete.
  • Other Programs. Win-I > System > Storage said that I had 26GB of “Apps & features.” Clicking on that led to Win-I > Apps > Apps & features. This was a list of mostly desired software, mostly installed by me, similar to the list at Win-R > control > Programs and Features, except that the latter did not include preinstalled Windows apps (e.g., 3D Viewer, App Installer), and fairly similar as well to the items on the standard Win10 Start Menu. Various sources indicated that removing preinstalled software might not be effective long-term (i.e., bloatware might be reinstalled after an update), would probably not save much space, and could contribute to system instability. I returned to this issue when I was ready for more risk (below).
  • Items in RAM. Although my hiberfil.sys was now temporarily gone and my pagefile had shrunk, presumably RAM could still hold recently entered passwords (for e.g., VeraCrypt, LastPass, webpages), and possibly those were recorded in pagefile.sys. For security, it seemed I probably should do a regular restart, so as to let these sources clear themselves, and not log into sensitive programs or websites until the drive image was done.
  • Drive Indexing Caches. Everything.db recorded filenames, and thus could reveal sensitive information if the drive image fell into the wrong hands. This would presumably be equally true of the indexing database for any other drive indexing tool. I had created the C:\Cache folder, in particular, to hold cache files from various programs, including Everything.db. Now (for items not already removed by the preceding steps) I cleaned it out manually, using TreeSize to identify folders containing notable amounts of material, but also verifying whether any residual log files contained information of potential value to an intruder.
  • CCleaner. Registry and system cleaning tools had a reputation for “cleaning” a system in potentially harmful ways. Among sources inclined to use such tools, many recommended CCleaner (for which I found an English-language version at Softpedia). It still seemed, however, that the best practice was to use it for specific purposes. For instance, WindowsReport (Adams, 2019) recommended CCleaner as an alternative to the foregoing batch file, for purposes of finding and removing crash dump files. In its Custom Clean, I saw that CCleaner had detected various Windows tools and third-party applications. I clicked Analyze to see what it would find, and then reviewed its findings. There were apparently no memory dumps (above) to delete, but CCleaner did seek to examine the Internet caches for each web browser. I unchecked the items I did not want deleted or trust CCleaner to delete well. I was able to check or uncheck whole groups (e.g., all items pertaining to Microsoft Edge) by right-clicking on the headings. I re-ran Analyze, to take a second look, and then I deleted that material. Note that CCleaner’s analysis could include any drive, or at least any fixed drive, connected to the system. For purposes of a focus on drive C, a cautious individual might disconnect other drives before running it. I ran it last, partly so that its Recycle Bin check would remove items placed into the Recycle Bin by the preceding steps, and partly as a check on those steps.

Altogether, according to TreeSize, those steps reduced the size of my installation from 81GB to 55GB. This might or might not matter for purposes of the drive image, depending on which kind of image I made. The default and for most purposes more practical choice was to make what some tools referred to as an “intelligent” image (i.e., copying only those sectors containing parts of files) as distinct from an “exact” or “sector by sector” image (i.e., copying every bit of the disk, even if it appeared empty). The Macrium dialog offering this choice said that Macrium’s exact copy would “include unused sectors” and “therefore forensic examination of the partition(s)” would be feasible: “Deleted files may be recovered for example.” In this instance, an intelligent Macrium image, with high compression, squeezed the drive’s 57GB into a 28.5GB file. By contrast, an uncompressed image would have been 57GB, and an exact image would have been about 200GB, because that’s how big the drive C partition was. It would obviously take more time and space to create, store, and restore exact images.

There were a handful of commonly mentioned free and paid programs for drive imaging. Macrium Reflect seemed to be getting a lot of positive attention among users of free software. AOMEI Backupper was another useful free one. Both of these had frustrated me in certain situations involving USB drives. I had less experience with EaseUS Todo Backupper, a third free option. For many years, I had used the paid Acronis True Image Home. But then Windows 10 came along; my old copy of Acronis didn’t work on Windows 10; and Acronis’s reputation seemed to be slipping. But these days, Acronis once again seemed to be highly reputed among reviewers, with Paragon a paid alternative. Acronis now used 600MB of disk space and ran multiple processes, resulting in a PCWorld (Jacobi, 2018) opinion that Acronis imposed “a heavy footprint on your system … [that was] likely overkill for the majority of users.” Acronis also cost $50 per computer, though better deals could perhaps be found on Amazon or eBay. At the moment, I was using the free version of Macrium, whose paid version ($70 for one machine) included a ReDeploy feature seemingly similar to Acronis Universal Restore: both were reportedly able to restore a drive image to a new computer, potentially saving the user the hassle of reinstalling everything.

It was almost convenient that Macrium had given me a 28.5GB drive image. I say that because I could almost fit that onto a spare 32GB USB drive, with Macrium’s bootable version installed. That would mean that I would not have to try to persuade Macrium to restore a drive image stored on an external USB drive that it would refuse to see, as I had discovered in unpleasant recent experience. Instead, the drive image would be right there on the Macrium drive. It couldn’t pretend not to see that. I did first try to create a separate partition on that USB drive, but MiniTool Partition Wizard said that Windows wouldn’t recognize a separate partition on a USB drive. With some additional tinkering (i.e., uninstalling one big but rarely used program), a retry did give me an image that would fit on that USB drive. That way, I could always restore a working system.

To create that bootable 32GB Macrium USB thumb drive, it seemed my best solution was to run Macrium in Windows 10 and choose its option for Other Tasks > Create Rescue Media. I told it to create an ISO image (at the bottom of the list). I installed that ISO onto the USB drive using Rufus, set to MBR and NTFS. I double-checked, using a partitioner (e.g., MiniTool Partition Wizard), to make sure the program partition filled the drive — and that’s where I put a copy of the drive image. I tested it only to the point of verifying that it would boot and that it looked like it was ready to restore the drive image to a computer. If it failed to go beyond that, I could still fall back on the copy of the image that I had kept on the HDD.

After making the drive image, I returned the system to normal by undoing some of the space-reducing steps listed above:

  • Restore Hibernation with powercfg /h on. Restoring hibernation restored my 600-minute setting (above). I wanted hibernation to back up the system in case of power outage lasting beyond the brief lifeline provided by my uninterruptible power supply (UPS, a/k/a battery backup). As StackExchange indicated, hiberfil.sys could pose security concerns, particularly on an unencrypted drive C. Since I planned to encrypt drive C, its primary risk was that it would hold potentially sensitive information from encrypted data drive D. That could matter if an intruder was able to get into drive C but not drive D.
  • Turn on System Protection via SystemPropertiesAdvanced > System Protection tab > select drive C > Configure button.
  • Reinstall programs that were removed to make an image that would fit onto the USB drive.

That concludes the discussion of steps I took to save space.

Later and Riskier Tweaks

Now that I had what looked like a working drive image, I could proceed with programs and activities that, while offering benefits that might appeal to many users, might also pose a risk of destabilizing the system. Some of these items were riskier than others.

Miscellaneous Tweaks

Ordinarily, a list of miscellaneous items would come at the end, but some of these would have consequences for other items to follow.

  • Disable OneDrive. How-To Geek (Hoffman, 2017) offered ways to remove OneDrive so that I could bring it back if I wanted — and in any case I could still log into OneDrive.com if desired. In Windows 10 Pro or Enterprise, the advice was gpedit.msc > left pane > Computer Configuration > Administrative Templates > Windows Components > OneDrive > right pane > double-click on “Prevent the usage of OneDrive for file storage” > Enabled > OK. Then reboot. I was not sure whether this was the step that removed it from control > Programs and Features. If not, I could uninstall it there. To reinstall, run C:\Windows\SysWOW64\OneDriveSetup.exe.
  • Control Panel: Programs and Features. Along with uninstalling any unwanted software, in the left panel, I clicked on Turn Windows features on or off. For that, gHacks (2016) provided an item-by-item discussion. These appeared mostly to be set by various programs that needed them, so I mostly left them alone. I did turn off the deprecated Windows PowerShell 2.0 and Work Folders Client. I turned on Windows Subsystem for Linux to obtain access to useful Linux commands (e.g., rsync). After a reboot, I ran wsl -l –all (for Win10 1903) or wslconfig /l /all (for earlier versions) to see the Linux distributions available on Windows 10. That command worked now, but it said, “Windows Subsystem for Linux has no installed distributions,” and pointed me toward the Microsoft Store. I chose Ubuntu > Get > Get > opt not to sign into my Microsoft account > Install. To use this new Linux installation, I went to Win-R > cmd > Ctrl-Shift-Enter > bash. LinusTechTips suggested immediately running two commands at the Linux prompt to update the installation: sudo -i and then apt-get update && apt-get upgrade.
  • Manage Automatic Startup Programs. MakeUseOf (Bonilla, 2016) recommended Autoruns, from the acclaimed Sysinternals set, to manage programs that run in the background. The concept was that such programs can burden the system unnecessarily. I downloaded Autoruns from Microsoft — that is, the original and highly rated Autoruns, not a lower-rated alternative. From the unzipped download, I ran Autoruns64.exe. That gave me a Sysinternals license screen. The program took a moment to orient itself, but then, as Bonilla advised, I was able to go into menu > Options > verify that Hide Microsoft Entries (automatically including Windows entries) was checked, so as to avoid tinkering with essential system programs. Then I went down, just below the menu, to the Logon (not Winlogon) tab. I did not disturb programs (e.g., antivirus) that definitely needed to run from startup. If in doubt, I left it checked, rather than run into a problem, weeks or months later, whose origin would baffle me. Items that I unchecked (i.e., that I did not want to run at startup) included those that I rarely used, that did not really need to be watching my system constantly, and that I preferred to start when I needed them. Participants in a Seven Forums discussion said changes were saved immediately, as with a registry editor, but some programs came back after a few reboots. In that case, I tried right-click > delete instead of merely unchecking a few, though Bonilla warned that this could destabilize the system. After a reboot, I ran msconfig > Services tab > check Hide all Microsoft services (in bottom left corner) and saw that some unwanted items were still checked, so I unchecked them there. Then, in the Startup tab, I clicked the Open Task Manager link and saw a few more items I could disable. These changes persisted after reboot. Since I did wind up with an unstable system, after the system repair I did not use Autoruns, but instead limited my activity to the steps just described for msconfig and Task Manager — and since I saw that some items were still unchecked, I assumed that, if the repair had changed anything, it had changed only those items needed for system stability, so I changed nothing further at that point.

Context Menu Editing

In File Explorer and elsewhere, the right-click context menu contained a number of unwanted items that distracted from the more useful entries. There were several ways to reduce those long lists of choices. Note that, as suggested by the reference to “context,” right-clicking on different entities (i.e., drive, folder, file), and on different kinds of files (e.g., .doc, .jpg), would yield somewhat different sets of context menu options. Depending on the programs installed and tweaks made, there could be hundreds of context menu entries altogether. Managing them could be complex, and I had previously found that mistakes could leave the system unusable. Indeed, my edits this time may have been responsible for this system’s ultimate instability. At this point, there seemed to be several relatively manageable strategies to prune the context menu:

  • Software Choice. One way to avoid clutter was to avoid software that would aggressively spawn multiple context menu entries everywhere without a way to remove those entries. Some years earlier, I had found NCH software to be of that ilk.
  • Installation & Program Options. Some programs provided options to withhold context menu entries during their installation, or in their settings menu. My program installation notes (above) mention some of these.
  • Default Apps. As TenForums (Brink, 2019) suggested, certain unwanted context menu items (e.g., Create a New Video) went away after I customized Win-I > Apps > Default apps to designate third-party programs (for e.g., photo viewing).
  • Autoruns. Along with its ability to manage startup programs (above), I found that Autoruns could make some context menu items disappear. I started by hitting F5 to refresh its list, and then went into its Everything tab and looked for headings indicating registry entries with names referring to ShellEx or ContextMenuHandlers (e.g., HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers). I saved the results via menu > File > Save.
  • Context Menu Editors. A search led to lists recommending several tools. Among those most commonly recommended, I found the context menu more accessible in Easy Context Menu than in CCleaner. The context menu editor in Glary Utilities was semi-hidden under the mouse icon at the bottom of its introductory screen. Using Glary, I did not remove any items — again, for fear of inducing instability — but I did disable a number of unwanted items by unchecking their boxes. An example of an item whose source was not obvious: SDECon32, apparently due to Spybot S & D. I didn’t like Glary because it wouldn’t die and kept coming back: eventually I added it to items automatically killed by STARTUP.BAT (above).
  • Win10RegEdit.bat and Win10Setup.bat. As discussed below, these two tools were able to add and remove a number of context menu entries. Before removing items, I might want to make sure that context menu editors, like those just mentioned, were not adding items that I would then feel the need to remove via registry edit or by one of the following tools.
  • ShellMenuView, sorted by menu name, listed two “Command Prompt” entries. I wanted an administrative command prompt option; I didn’t need these additional non-administrative Command Prompt options. So I selected these two items > right-click > Disable Selected Items.
  • ShellExView, sorted by Type, listed a number of Context Menu entries. Among these, I was able to right-click > Disable Selected Items for BDMenu Class (i.e., Bitdefender), CShellStitcher Object (for Microsoft Image Composite Editor), Eraser Shell Extension, and IObitUnstaler Class. Of these, my change failed only for Eraser: it was still there after a reboot, albeit only on the context menu for a shortcut, which I would hardly ever use. If other unwanted items began to accumulate on the context menu again, I would perhaps revisit that later.

SendTo Submenu

File Explorer offered two SendTo submenus. One was available by right-clicking on a file; the other (known as the extended SendTo menu) by Shift-right-clicking on a file. As noted in the background notes post, I decided not to bother editing the extended SendTo menu. These remarks focus solely on the Shift-right-click SendTo menu.

To see most of the items listed in that menu, I went to File Explorer’s address bar > sendto > Enter. (Alternately, %appdata%\Microsoft\Windows\SendTo or Win-R > shell:sendto.) That put me into the SendTo folder. That folder contained icons for items that were visible in the SendTo menu. I didn’t want some of those items. Rather than delete them, I zipped them into a file named Z Unwanted SendTo Items. The leading Z kept that zip file at the end of the list, where it wouldn’t bother me. If items insisted on being reinstalled, I could perhaps try the approach of adding deletion commands to a batch file running hourly — because that had worked so well when I tried it with the Start Menu.

Along with the deletions, I could also add new items to the SendTo folder. For instance, if I included a link to an oft-used program (e.g., Notepad, IrfanView), SendTo would function as an alternative to the “Open With” context submenu — which would be useful when Open With didn’t offer the program that I wanted to use. I could also add folder shortcuts to SendTo. When I was done, I made a backup of the items in the SendTo folder.

If I selected a file in File Explorer and used right-click > SendTo > click on a folder, that would put a copy of that file in the designated folder. If I wanted to move the file rather than copy it, I would use Send-To > Shift-click on the folder. Other “move to folder” options included MoveTo CopyTo, which I could not get to work, and Moo0 RightClicker (clunky free version, $26 pro version). To delete SendTo menu items that weren’t in the SendTo folder, I used SendTo Toys (alternative: SendTo Menu Editor). As another option, Windows PowerToys were reportedly coming back from retirement and would eventually include a relevant context menu tool.

Other Tweaking Tools

  • Win10RegEdit.reg. This file, shown at length in another post, contained the registry edits I used to change various aspects of system functioning, along with comments on some of those changes. That other post is largely separate from this one. Changes made by Win10RegEdit.reg are not necessarily described or even mentioned in this post. Where I could find a .reg file solution to a problem, I tended to put it into Win10RegEdit.reg. Doing so enabled me to automate many changes, in lieu of the manual step-by-step descriptions given here.
  • Win10Setup.bat. Remarks about Win10RegEdit.bat, in this post and in the other one, were largely applicable to Win10Setup.bat as well. This file contained a few tweaks that required the command line rather than registry edits.
  • Ultimate Windows Tweaker (UWT). This tool (rated 4.0 out of 5 by 175 raters at Softpedia) offered a one-stop source for many of the tweaks described above. For my purposes, it had some drawbacks: (1) I was not sure how to interpret some of its indications. For example, at this writing, I had just logged in; my Win10RegEdit.reg tweak had required me to hit Ctrl-Alt-Del at the login screen, as a security measure; and yet UWT > User Accounts > Require Users to Press CTRL + ALT + DEL To Logon was not checked. There were multiple examples. UWT did not seem to be checking system settings, and thus seemed to misrepresent the present state of affairs in some regards. This made me nervous that perhaps UWT was about to undo things that I had carefully figured out. So when using UWT, my rule of thumb was just to check or uncheck items only where I had seen system functioning that needed to be changed. (2) I thought it was now capable of recording my changes, so that I wouldn’t have to go back through again manually next time; but for some reason, at this writing, I was not seeing that option. Thus I continued to prefer Win10RegEdit.reg, which (together with this blog post) gave me a simple way of running many tweaks at once, as well as space for adding notes to those tweaks. (3) I preferred not to rely too heavily on third-party software, and to educate myself to some degree in the nuts and bolts. So I used UWT to verify and perhaps reconsider changes made by Win10RegEdit.reg and by the foregoing instructions, and to provide tweaks for items for which I hadn’t yet found a superior option elsewhere.

Move User Folders

Windows 10 came with a number of supposedly helpful folders located at %userprofile%. These included 3D Objects, Documents, Downloads, Music, Pictures, Videos, and Desktop. I didn’t want any of these except Desktop. Win10RegEdit.reg incorporated registry changes that would hide the unwanted folders, so that they would not clutter up the navigation pane under This PC in File Explorer. But the folders still existed and functioned. Thus, for instance, the Downloads folder continued to accumulate material.

I wanted to redirect references to such folders, so that files sent to them, by Windows or by any program, would go into my D:\Current folder. In place of a half-dozen folders that I wouldn’t use, I wanted the simpler solution of a single working folder. So I couldn’t use the approach of moving the Documents folder on drive C to a Documents folder on drive D, and moving the Music folder on drive C to a Music folder on drive D, and so forth.

One approach was to actually move those folders to D:\Current, using the prescribed method (briefly, right-click on the source folder (e.g., Documents) > Properties > Location tab > Move > specify the target folder). I had done that (or something like it) in Windows 7. Mixing several original folders into that one alternative folder (i.e., D:\Current) had produced some unwanted results, even in Windows 7. On Windows 10, this arrangement seemed to be working less well. It may have been responsible for some instability that I had seen in recent installation attempts.

Windows 10 did have a sort of answer to this kind of question, but it didn’t work for me. Specifically, I could not use Win-I > System > Storage > Change where new content is saved: that setting did not allow users to specify a folder. I did not want the complexity and potential problems of moving the entire Users folder — which, multiple sources said, would be a bad idea anyway.

It seemed that a “link” might be the solution. There seemed to be some inconsistency or confusion in various sources’ uses of relevant terms, due apparently to some differences between links in Windows vs. Linux. For present purposes, a SuperUser answer said that, among the options of hard link, symbolic link, or directory junction, I could not use a hard link because I wanted to redirect from one drive (C) to another (D): hard links apparently required the files to be on the same volume. Another SuperUser answer said that a junction was the tool of choice “when you want a directory to be elsewhere.” That seemed also to be the conclusion of a TenForums discussion in which one user was assured that he could “redirect Documents, Downloads, Music and Pictures in the user folder to a data drive” using mklink /j [target folder], where mklink /j was the command for creating a junction.

To create a junction, I could enter the requisite command. The mklink syntax was simple, as I could see by running mklink /?. But I was curious about the Link Shell Extension (LSE) tool that several commenters had mentioned. (Later, I would see several possible alternatives: Junction Link Magic, Symbolic Link Creator, Symlink Creator, Symlinker.) After making a backup of my data files, I installed LSE, rebooted, and ran it. LSE’s documentation explained that it was accessed via File Explorer context menu: the Start Menu entry offered only configuration options. It appeared to be mostly limited to NTFS, not FAT (presumably including FAT32), file systems. The documentation noted that some features of LSE would not work in some File Explorer replacements. The process seemed to be, roughly speaking, right-click on the file or folder > Pick Link Source > right-click on another folder > Drop As > choose symbolic link, junction, or other options. The documentation appeared to provide a careful, well-illustrated guide to the potential complexities of links and junctions. I decided at this point that, for my purposes, it was easier to use mklink, and doing so would eliminate context menu entries that I would rarely use, so I uninstalled LSE.

Returning to the TenForums discussion just cited, it seemed that I needed to use mklink /j [target folder], where the source was the drive C folder that I didn’t want to use (e.g., C:\Users\Ray (Admin)\Documents, better stated as %userprofile%\Documents), and the target was the drive D folder where I wished I could move that folder (in this case, D:\Current). A difference in my case was that I wanted multiple source folders (e.g., Documents, Downloads, Pictures) to be linked to that same target folder. That was the wrinkle that made the suggested alternative problematic: Windows (and, as noted above, the people who tried to help me) got confused when I right-clicked on each of those source folders and used Properties > Location tab > Move to the same target folder (i.e., D:\Current).

The first of two steps suggested in the TenForums discussion was to delete the source folder. Perhaps this step would keep Windows from getting confused as to how it should handle an incoming file that, per the junction, was supposed to be redirected from the source folder (e.g., %userprofile%\Downloads) to the target folder (e.g., D:\Current) when, instead, it was possible just to put that incoming file into the source folder (or, perhaps, into both folders). If the source folder no longer existed, there would be no uncertainty. Consistent with the TenForums discussion, a TechReport forum post suggested a set of steps that, for present purposes, could be phrased thus:

  1. Cease and close activities and programs that may try to access the source folder.
  2. Copy the contents of the source folder into the target folder.
  3. Delete the source folder. Going down the list of folders in my %userprofile% folder in the order listed in File Explorer, the first source folder would be 3D Objects. Thus, if I wished to do this via command, I would use rd /s /q “%userprofile%\3D Objects” (with quotation marks at least for paths containing spaces).
  4. Run mklink /j [target folder]. In this example, the command would be mklink /j “%userprofile%\3D Objects” D:\Current. In effect, this mklink command told the system, “Whenever you see a reference to the 3D Objects folder, don’t worry about whether it exists; instead, assume that it actually means D:\Current.” Apparently the Windows installation would not freak out when it realized that the 3D Objects folder was dead; it would be fine as long as we had a junction telling the system that a substitute had been appointed.
  5. Repeat the foregoing steps — copy contents from source to target folder, and then run rd and mklink commands — for each of the other source folders that I wished I could simply move. The full list of such folders in a standard Windows 10 installation seemed to be: 3D Objects, Documents, Downloads, Music, Pictures, and Videos.
  6. Later, I noticed that the Video DownloadHelper add-on for Firefox also created a download folder that I would want to redirect to my preferred target folder. So if I was using that extension, I might want to add it to the list. A review of folders located at %userprofile% might highlight others to be added. (It would probably not be wise to relocate the Application Data subfolder.)

These steps suggested a batch file, to preserve the necessary steps for future use. The file I produced was as follows:

:: USERJUNC.BAT
:: See https://superuser.com/questions/1487512/batch-unexpected-variable-results-in-subroutine

@echo off
cls
echo. 
echo.
echo This is USERJUNC.BAT
echo.
echo.
echo First, manually copy contents of the source folders in the user's home folder
echo (i.e., 3D Objects, Documents, Downloads, Music, Pictures, and Videos)
echo to the target folder (in this case, D:\Current).
echo.
echo The path to the home folder is %userprofile%. Find the home folder by entering that
echo into the address bar in Windows File Explorer. Alternately, C:\Users\[username].
echo.
echo Note that some subfolders in those folders may be empty. Optionally delete empty 
echo folders (in e.g., Documents) -- maybe empty out others as well -- before checking 
echo and moving them, by running Remove Empty Directories.
echo.
echo.
echo The next steps will replace the source folders
echo with junctions to the target folder.
echo.
echo.
pause
setlocal
for %%G in ("3D Objects","Documents","Downloads","Music","Pictures","Videos") do call :sub1 "%%~G"
goto :eof
:sub1
set apath=%userprofile%\%~1
rd /s /q "%apath%"
mklink /j "%apath%" D:\Current
pause
:eof

That put something resembling a link file in place, in the %userprofile% folder, for each of those six unwanted folders. But did this effort succeed in making the target folder (i.e., D:\Current) an all-purpose substitute for those six folders? I tried downloading a file from online. As desired, that downloaded to D:\Current, instead of to %userprofile%\Downloads. I tried uploading from a device that would normally put its files in %userprofile%\Documents. That, too, put its files in a subfolder under D:\Current. This tweak seemed to work. Note, however, that when doing a Windows repair install, the contents of this folder could get confused, as discussed in another post.

Using This Installation Elsewhere

Now that I had done all this work, I wanted to be able to run this system on other computers, without having to go through all these steps again. For this, there were multiple possibilities. One was to use the Windows To Go (WTG) approach detailed in another post. As supported by performance-related analysis in that post, in ordinary use (e.g., browsing with a bunch of tabs open; Microsoft Office; Acrobat) I hardly noticed any functional difference between the standard installation on my internal Samsung SSD and the WTG installation on my Samsung USB drive. Now that fast 128GB USB drives (alternately, external SSDs) were available for (relatively) cheap, it seemed feasible to put this full Windows installation on that external device and run it on virtually any 64-bit Windows-compatible machine.

As noted above, this installation used the default administrator account. For purposes of security, however, day-to-day work was better done in a standard user account with lower privileges. Another post discusses the need for both an admin account and a standard user account, as well as methods of creating the latter from the former. The essential point is that, once the installations and tweaks were done, it was time to create a standard user account, and to start using it.

Another way of using this installation on other hardware was to create a drive image of this system and restore it to another computer, perhaps with the aid of the “universal restore” or “dissimilar hardware” options available in paid versions of some drive imaging programs. I was not sure whether such efforts tended to be successful. It would presumably be necessary to activate the restored image on that other machine. Activation would presumably require having the same version of Windows. In my case, there could be a project of converting the Windows 10 Pro drive image from my desktop to a Windows 10 Home installation on my laptop. It looked like such downgrades were feasible but could be problematic.

These steps — especially drive imaging — might be better done before encrypting drive C. I was still not having perfect results when trying to make an image of an encrypted C drive, and that was the last step remaining in this project.

Encrypting Drive C

For reasons discussed in the security post, I downloaded and installed VeraCrypt, verifying its signature by installing Gpg4win as advised and then right-clicking on the .exe download (with the PGP Signature .sig download in the same folder) > More GpgEX options > Verify. It looked like I had done it right; it said we were good. I ran VeraCrypt and used it to encrypt drive C. I did this by going into VeraCrypt > menu > System > Encrypt System Partition/Drive. I chose Normal (rather than Hidden).

The big question was whether to encrypt the whole drive. That option was actually grayed out, in my case. Various sources opined that I would have that option only if I was using a Legacy/MBR rather than GPT drive, or only if I first disabled Secure Boot in BIOS. The explanation seemed to be that UEFI booting required access to an unencrypted hidden boot partition. One source said there were more complex means (e.g., use a hidden operating system or a thumb drive) to improve upon this situation. (See also Stack Exchange.) So I could use different VeraCrypt passwords for partitions C and D, both located on the same SSD. In a pinch, if I couldn’t run the VeraCrypt-encrypted installation on drive C, I should still be able to access the encrypted data on D by using VeraCrypt’s portable or Linux versions, or VeraCrypt installed on a Windows To Go USB drive. Thus, I chose the option to “Encrypt the Windows system partition” (i.e., not the entire drive).

VeraCrypt proceeded to raise the question of whether I should use a PIM in addition to a password. The short answer was that there was a tradeoff between increasing decryption complexity (i.e., using a PIM, especially a large one) and delay: it took longer to decrypt a complicated password-PIM combination. A PIM smaller than 485 would make the password easier to break, so in that case the user would need a strong password. But a large PIM would make for a slower verification, each time the user signed in to the encrypted partition.

When I reinstalled Win10 on the desktop, I ran into a warning:

CAUTION: The VeraCrypt Boot Loader is already installed on your system drive!

It is possible that another system on your computer is already encrypted.

WARNING: PROCEEDING WITH ENCRYPTION OF THE CURRENTLY RUNNING SYSTEM MAY MAKE OTHER SYSTEM(S) IMPOSSIBLE TO START AND RELATED DATA INACCESSIBLE.

Are you sure you want to continue?

This was odd. I had installed Win10 from scratch on this SSD. A search yielded no insight. Possibly the VeraCrypt boot loader had survived in a hidden partition. I went ahead with the task. The warning did not seem to have any practical consequences.

VeraCrypt proceeded to the option of creating a rescue disk. As it turned out, this actually created a .zip file of only 1.7MB. As instructed, I unzipped it to the root level of a (small) FAT32 USB flash drive. An appendix (below) contains the advice that VeraCrypt gave me, at this point, on using the rescue disk.

Otherwise, I went with the defaults. Then VeraCrypt wanted to do a pretest. This involved a reboot and me entering the password I had chosen. They provided advice on what to do if the system wouldn’t reboot. I have added that material as an appendix (below). After that pretest, which involved a reboot, VeraCrypt began encrypting drive C, even as I continued working. When it finished, it offered this information:

The system partition/drive has been successfully encrypted.

Note: If there are non-system VeraCrypt volumes that you need to have mounted automatically every time Windows starts, you can set it up by mounting each of them and selecting ‘Favorites’ > ‘Add Mounted Volume to System Favorites’.

The encryption of drive C completed this Windows installation. Note again that this was just the setup for the administrator account. The process of preparing this system for daily use continued with cloning this administrator account to a standard user account, as described in another post.

This entry was posted in Uncategorized and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.