Monday, January 12, 2009

Windows 7: Unexpected Discoveries

Yes, I know that Windows 7 Beta got released last week.

I had tried valiantly this past Friday to get my W7 Beta key and W7 ISO downloads.

The key was a complete wash until Saturday when the floodgates opened and I was able to get several along with a quick download of the ISO file.

I had been worried but found that Microsoft uncapped the download and key limits for the next two weeks!

The Key to the problem is…

Here's where we stand - Windows 7 Team Blog.

"Due to an enormous surge in demand, the download experience was not ideal so we listened and took the necessary steps to ensure a good experience. We have clearly heard that many of you want to check out the Windows 7 Beta and, as a result, we have decided remove the initial 2.5 million limit on the public beta for the next two weeks (thru January 24th). During that time you will have access to the beta even if the download number exceeds the 2.5 million unit limit."

(Turns out that the MS W7 EULA allows multiple installations with the same key. Thanks for the tip, Dwight!)

So don’t sweat that you will left out of this latest gold-rush.  Grab your beta key and move on.  There’s lots to see and you don’t need to waste your time filling your pockets. Leave some for the late-comers.

Swatting at W7 NATs

I suppose I could have followed this Lifehacker post ( Windows 7: How to Dual Boot Windows 7 with XP or Vista ) and done a dual-boot configuration of one of my systems with Windows 7 Beta, but I am a bit risk adverse with my home systems.

Instead, I took the safer route and created a fresh virtual hard-drive file in VirtualPC 2007 picking Vista as the intended system.  I mounted the downloaded W7 beta ISO file with VirtualPC as I booted the new vhd.  That got me directly to the installation process and it went surprisingly fast.  Much faster than what I had encountered under the Vista beta versions I had tested.

I got it installed on a VirtualPC session with no issues (except I had to set the VirtualPC session to use NAT routing due to the wireless config I had.  Then the virtual Windows7 couldn’t find the Internet through my host system until I did a little research and on a hunch tried to manually assign the IP address for the DNS Server for the Windows 7 virtual operating system to, the virtual gateway IP address used by Virtual PC.  That did the trick and the Webs flowed quick and fast.

For a walkthrough on this process see this great post with visuals:

Virtual Machine Additions…

Once I had the virtualized W7 Beta rocking in VirtualPC I wanted to do some drag-n-drop file transfers and set up a shared folder between the VirtualPC of Windows 7 and my hosting Vista system.  However, I couldn’t do that without installing Virtual Machine Additions in the client.  Only I haven’t yet found a Windows 7 version of them yet.

Would the set (ISO file) that came with VirtualPC 2007 work?

Surely not!

I browsed to the VirtualPC program folder and found the ISO file and attached to it.

Sure enough, Windows 7 took the setup and installed them with no complaints.  After a reboot I was good to go with both sound as well as the drag-n-drop and shared folder features working perfectly.  No BSOD or other fatal flaws have been encountered.

Who knew Windows 7 was so flexible and Vista-backward supportive?

That really bodes well.

Windows 7 WAIK = WinPE 3.0 ?

I didn’t get much time this weekend to play with it, but what I did see impressed me.  It ran speedy and well with just 512MB system RAM allocated to the Windows 7 virtual machine.

I also found these related Microsoft items regarding Windows 7 that are now available.

Knowing that there is a Windows Automated Installation Kit beta already available for Windows 7 is very exciting.

The current WinPE 2.0 is based on the current Vista WAIK.  And as we are finding out, WinPE 2.0 can do amazing things and is quite customizable.

I’m not sure if we can call the Windows 7 WAIK the road to WinPE 3.0, but if early indications bear out, it might be even more versatile than PE 2.0 is.

And those other finds with the USMT for W7 as well as image serving will demand close inspection!

Microsoft’s Windows 7 Driver Goals

The post Engineering Windows 7 : Primer on Device Support and Testing for Windows 7 is a long and fairly dry and technical post.  However, it did contain this interesting tidbit that again looks well for upgrades of existing Vista-supported hardware platforms.  Folks with working Vista systems that are fence-sitting regarding Windows 7 might feel more welcome than the XP folks who got splinters in their tooshies from Vista.

From that post (emphasis mine):

One of our primary goals for Windows 7 is compatibility with all Vista certified drivers and to ensure that people have a seamless upgrade experience. This breaks down into several requirements that guide how we test:

  • Drivers for basic functionality are in-box (by in-box we mean available as part of the installation of Windows). This includes drivers for mainstream storage, network, input, and display devices so the OS can be installed and user can get online where, if needed, additional drivers can be acquire from Windows Update.
  • Drivers update and/or install with minimal end user effort.
  • When drivers are upgraded, there aren’t problems with the new drivers.
  • Drivers are reliable.

That may explain why the VirtualPC 2007 additions went on smoothly.

The post then goes on to detail the elements of clean installs, attaching devices without setup disks (containing drivers at hand), and updating drivers via Windows Update or an independent hardware vendor (IHV) website source.

There was much more in the post than meets the eye at first blush.

Windows 7 Problem Steps Recorder

One of the challenges in Help Desk work for end-user workstation support is tracking down the cause of the error they are reporting.

Sure there are system and event logs.  If I am lucky I can remote-attach to the user’s system while the problem still is present or the error alert is showing.

Usually, I have to play detective and use a variety of interrogation and system inspection techniques to get the clues and facts needed to replicate the issue…and then work out the solution.

Long Zheng drops a killer tip that Windows 7 might have dramatically improved my ability to collect meaningful fault data.

A feature new to Windows 7, called “Problem Steps Recorder” looks to be the missing tool for documenting where it all goes wrong.

What the tool is a simple but advanced variation of a screen capture software. Think of it as an automated “Print Screen” plus a little monkey in the background documenting all the mouse clicks, key strokes and gathers some technical reading material, who then ties up everything in a neat box and saves the results. The neat little box you get is a zipped MHTML report page which can be sent off directly to the help desk.

The report page is where this tool really shines. It actually is an XML page documenting each step of the user’s actions complete with a screenshot with the item highlighted. You can view the report as is, or as a slideshow, or even dig into the raw XML to expose greater detail like the X&Y coordinates of the mouse.

To try the “Problem Steps Recorder” for yourself, type and select “psr.exe” in the Windows 7 start menu.

Long Zheng helpfully provides a link to a report he prepared earlier for your viewing pleasure. You must use Internet Explorer to view MHTMLs.

Check it out.  It’s tre’ chic!

Crime? You can’t hide in Windows 7!

Leave it to Windows forensic expert Harlan Carvey to not let any Windows 7 grass grow on his side of the fence!

He decided to start poking the Windows 7 beta fish bowl with a stick to see what he could stir up.

Windows Incident Response: Windows 7 Beta Registry

He does some looking and found a VMWare built virtual drive of Windows 7 beta and brings it home to play with.

Initial results were very positive.

Very cool! Not only do the tools seem to work just fine, but it looks as if the VMDK is a Windows 7 Beta VM. Very nice. Other plugins, such as samparse, seemed to work just fine, but parsing the UserAssist key in the NTUSER.DAT file was problematic...the "normal" GUID key didn't seem to be in the hive.

So, it would seem that the binary format of the Windows 7 (the Beta, anyway) Registry hive files has not changed. I'm sure that the content has, as keys have changed names and functionality, and values and ways of recording data have changed. However, as with the move from Windows 2000 to XP, there may simply be more opportunities for forensic analysts.

There may be some changes/additions required, but seeing as Windows 7 is built upon much of the foundations already laid in Vista, the forensics and system administrators alike should find the under-the-hood workings pretty similar and recognizable to current tools and techniques.  Tweaking them to the Windows 7 environment changes hopefully will be minimal.

I have no doubt Harlan’s is the first of many great W7 related forensic posts to come.

BTW…be sure you grab and apply an anti-virus application to your Windows 7 build from one of several Windows 7: Security Providers.  Nice to know these are coming out pretty quickly along with the Beta release.

Wishing you were here…

For the folks who are curious what all the geek ruckus that has hit the blog-o-sphere over Windows 7 but could care less as they are still trying to come to terms with both XP and this new-fangled “Vista” thing they got for Christmas, here is a selection of posts that have lots of pretty pictures and cover a range of features and issues to be found in Windows 7 (to date).

Think of them as postcards for the Windows 7 tourist set…

That’s all for now.

More Windows 7 technical linkage and finds are waiting in the wings.

Check back soon.

--Claus V.

1 comment:

H. Carvey said...


Thanks for the the shout-out!

Think of it as an automated “Print Screen” plus a little monkey in the background documenting all the mouse clicks, key strokes and gathers some technical reading material...

Nice! From a helpdesk perspective, that's great...from a forensics perspective, that's even..uh...greater!