Windows Vista - Registry tweaks

SetupComplete.cmd - this batch file will run after Windows is installed, but before the logon screen appears. Windows Setup searches for the SetupComplete.cmd file in the C:\Windows\Setup\Scripts folder. If a SetupComplete.cmd file is found, the file is executed.

Copy and paste the following text in Notepad, save as Setupcomplete.cmd

@echo off

cd\

start /wait regedit.exe /s c:\windows\setup\regtweaks.reg & c:\windows\setup\bootedit.bat

exit

Create the C:\Windows\Setup\Scripts Scripts folder and place the SetupComplete.cmd file in the folder

Copy and paste he following text in Notepad, save as regtweaks.cmd

Windows Registry Editor Version 5.00

;put the Windows Kernel in memory

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

"DisablePagingExecutive"=dword:00000001

;setting this to 1 allows for 8 "rearmings of activation" in Vista Business and Ultimate editions.

;A setting of zero allows for only 3 rearms.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL]

"SkipRearm"=dword:00000001

;IE7

; IE7 Remove Search Box

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions]

"NoSearchBox"=dword:00000001

; IE7Menu Bar Top

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"ITBar7Position"=dword:00000001

; start Internet Explorer from a desktop icon and if you right-click the icon you can choose to start IE without Add-Ons.

[Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]

"{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000

;Explorer

; Add "Take Ownership" to Explorer Right-Click Menu

[HKEY_CLASSES_ROOT\*\shell\runas]

@="Take Ownership"

"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\*\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

[HKEY_CLASSES_ROOT\Directory\shell\runas]

@="Take Ownership"

"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\runas\command]

@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

;add "copy to" to right click context menu

[HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\{C2FBB630-2971-11D1-A18C-00C04FD75D13}]

;add "move to" to right click context menu

[HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\{C2FBB631-2971-11D1-A18C-00C04FD75D13}]

; NTFS, Disable 8.3 names and Last Access (speeds up disk access)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]

"NtfsDisable8dot3NameCreation"=dword:00000001

"NtfsDisableLastAccessUpdate"=dword:00000001

; Specifies the time, following user input, during which the system keeps apps from moving into the foreground.

[HKEY_CURRENT_USER\Control Panel\Desktop]

"ForegroundLockTimeout"=dword:00000000

; Disable automatic updates

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]

"AUOptions"=dword:00000001

;Disable IPv6:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents"=dword:ffffffff

;Determines whether TCP uses the timestamping and window scaling features described in RFC 1323, TCP Extensions for High Performance

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"Tcp1323Opts"=dword:1

Put the regtweaks.reg file in the C:\Windows\Setup folder.

You can use SetupComplete.cmd to copy files to the PC, run scripts, modify registry settings and so on.

Note: You do not see SetupComplete.cmd run or have interaction with it, so be sure any commands you do use in the SetupComplete.cmd file are accurate and won't error out on you.

Tweak Vista: IE and Services

IE settings

· Choose whether to have the psyching filter on or off (tools >internet options> Advanced tab> Security> phishing filter). Disabling it altogether will be undone by Sysprep.

· Choose a home page: type the address in the address bar, . Click on the arrow besies the home icon, choose “add or change home page” and choose one of the 2 options.

· Install any toolbars you might want

· Enable CTCP: a few remarks

TCP Receive Window Auto-Tuning optimizes receiver-side throughput and CTCP optimizes sender-side throughput. By working together, they can increase link utilization and produce substantial performance gains for large bandwidth-delay connections. Auto-tunning is turned on by default, but for some reason CTCP is not

Both features will only work on compatible hardware and high speed connections (GB Lan, fiberoptics….) Older NICs/routers and servers might be negatively impacted by this

netsh int tcp set global congestionprovider=ctcp

Services

· Changing the status of a service that doesn't start automatically anyway does nothing for you performance wise. The following table only lists the services that are automatically started AND not strictly necessary, which leaves 30 services. Of these I always disable or set to manual the 10 marked in red (which will save some 80Mb of RAM, normally unnoticeable on a PC with >1 Gb of RAM)

· Unchecking them in msconfig will be undone by Sysprep

Application Experience

Automatically configures applications to run in compatibility mode. Right click and choose compatibility mode instead.....

DEFAULT	Automatic (Started)
“Safe”	Disabled
“Tweaked”	Disabled
Bare Bones”	Disabled

Base Filtering Engine

If you use an external hardware firewall/gateway/router between your computer and the internet, do not use IPsec (VPN tunneling, etc) and Internet Connection Sharing (ICS), then this service can be disabled. Please note that BFE is required for Windows firewall.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

Desktop Window Manager Session Manager

Part of the new Windows Themes, reverts back to basic styles when running applications that are not compatible with Vista Aero. It also performs functions such as the thumbnail view from the task bar and alt+tab, plus the Windows Flip3D interface as well as the transparency effects on various windows.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

Diagnostic Policy Service

Needed for Windows to automatically search for the cause and solve errors.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

Function Discovery Resource Publication

Publishes this computer and resources attached to this computer so they can be discovered over the network.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

IKE and AuthIP IPsec Keying Modules

Might be needed for some VPN software/protocols

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

IP Helper

Provides automatic IPv6 connectivity over an IPv4 network. And risks slowing down network connections while it tries to do so…

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

.

IPsec Policy Agent

Most home networks do not use IPsec as it is mostly used for remote VPN connections.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

KtmRm for Distributed Transaction Coordinator

Needed if MSDTC is running (server software)

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

Offline Files

Maintains a cache of offline files

DEFAULT	Automatic (Started)
“Safe”	Disabled
“Tweaked”	Disabled
Bare Bones”	Disabled

Portable Device Enumerator Service

Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content using removable mass-storage devices. Some mp3 players and some cameras might need this

DEFAULT	Automatic (Started)
“Safe”	Disabled
“Tweaked”	Disabled
Bare Bones”	Disabled

Program Compatibility Assistant Service

See application experience

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

ReadyBoost

ReadyBoost an USB flash drive or memory card as memory cache. No noticeable performance gain on systems with at least 1GB of RAM

DEFAULT	Automatic (Started)
“Safe”	Disabled
“Tweaked”	Disabled
Bare Bones”	Disabled

Security Center

Monitors the status of Windows Update, Windows Firewall and virus protection software. If you do not want the Security Center to monitor these functions for you, while the service is started go to: Start > Control Panel > Security > Security Center and on the left hand side select "Change the way Security Center alerts me." In the resulting dialog box, select "Don't notify me and don't display the icon". After this step is complete, you may place the Security Center service in disabled and it will not start again or continue to be displayed in the system tray after a reboot. This does not, however, disable any of the 3 protections, it only disables Security Center.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

Shell Hardware Detection

Used for the auto play of devices like memory cards, CD drives, etc. Some laptop docking stations might need it, as well as some scanners and cameras

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

Tablet PC Input Service

This is on by default because it will not start by itself if put on manual! Besides the obvious need on a tablet PC, or if you use a writting pad, the Snipping Tool depends on it

DEFAULT	Automatic (Started)
“Safe”	Disabled
“Tweaked”	Disabled
Bare Bones”	Disabled

Terminal Services

Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. Needed for Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Manual
Bare Bones”	Disabled

Themes

I like Aero, so I keep his on Automatic. If you are using an older system that can’t run Aero, disable the themes to make it look like Windows 2000/XP (with its new theme disabled) and save the memory.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

UPnP Device Host

Allows networking with devices that also use UPnP. Routers, some media players, X-box…

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

WebClient

Connect to a directory by adding the directory to the list of Network Places and display the contents as if it were part of the file system on your local computer. Remote backup often relies on this too

DEFAULT	Automatic (Started)
“Safe”	Disabled
“Tweaked”	Disabled
Bare Bones”	Disabled

Windows Defender

Scan your computer for unwanted software, schedule scans, and get the latest unwanted software definitions. If you disable this you will need to remove it from the startup list in msconfig, or it will nag you every time you boot that it cannot start.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

Windows Error Reporting Service

Allows errors to be reported to Microsoft when programs stop working or responding and allows existing solutions to be delivered.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

Windows Firewall

Microsoft's included firewall.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Automatic
Bare Bones”	Disabled

Windows Media Center Service Launcher

Starts Windows Media Center Scheduler and Windows Media Center Receiver services at startup if TV is enabled within Windows Media Center.

DEFAULT	Automatic (Delayed Start)
“Safe”	Automatic (Delayed Start)
“Tweaked”	Disabled
Bare Bones”	Disabled

Windows Search

Without this, Explorer will have to fall back to its slow search. It will still search though.

DEFAULT	Automatic (Started)
“Safe”	Automatic
“Tweaked”	Disabled
Bare Bones”	Disabled

Tweak Vista: Explorer, Defender, Desktop and Start menu, Default profile

1. Explorer settings

Start > control panel > classic view (left pane) > Folder options

In the View tab check "always show menus" (so you can access these options from Explorer), "show hidden files and folders", "launch folder windows in a separate process" and "use checkboxes to select items" and uncheck "hide extensions for known file types" and "hide protected operating system files". "hide protected operating system files" will be undone by Sysprep.

In the Search tab I choose to "always search file names and contents", "include subfolders when typing in the Search box", "Find partial matches", "Use natural language search" and "Include system directories"

1. Default Profile

Each new user who logs into the PC has a profile created for them. The profile is built from a combination of the Default profile and what used to be called the All Users profile and in Vista has become a combination of the Public profile and certain data from C:\ProgramData. The user profile contains settings and configuration options specific to the user, such as installed applications, desktop icons and color options but also those things that a user has access to and those things that the user can and cannot change.

If you want all of the users who login to a PC to start out with the same profile

• Rename the current C:\Users\Default folder to OriginalDefault (to have a backup of the original folder)
  

• Under the C:\Users folder, create a new folder called Default. This will become the new Default profile folder. In the Sysprep.xml file, (see below) you will set the CopyProfile setting to True. This setting will copy the profile of the user logged in when Sysprep is run, to the C:\Users\Default folder. Now, all users who login will start out with the same profile, while the original Default profile will still be available if the need for it should arise.

1. Windows Defender

I don't like this app. I find it overzealous in some respects and not enough in others and the configuration options have for some reason never worked as advertised on any of my systems. So:

• Start > type services > <enter>. In the list find Windows Defender, right click, choose Properties, stop it and set it to Disabled, apply. Close the window.
  

• Start>type msconfig> <enter>. Search for Windows Defender in the Startup tab and uncheck it. Close the window but don't reboot yet, we are not quite done…….

1. Desktop settings

Choose a background and a color scheme: right click on the desktop, choose Personalize, and go through the options

In Windows Color and appearance, click on "open classic appearance properties….." click on Advanced, under Item scroll o "border padding" and reduce the size to 0, apply.

Back in the main window, in the left pane, click on "change desktop icons" to choose which of any Vista icons you want on the desktop.

Right click on the Orb, choose Properties and customize the Start menu, notification area, task bar….The setting I find most useful here is to view the Computer, documents, pictures, music and control panel folders as menus.

Next week: IE and services tweaks

Install and configure Windows Vista

1. Setup

• Do not enter a serial number at this stage.

• When you are prompted to create a user, press Ctrl + Shift + F3 instead. This will take you to the desktop logged as the built-in Administrator. Windows Welcome will open, remove the checkmark besides "start with windows" and close it. Also close the Sysprep window. The Sysprep window will be opened each time you reboot.

OBS! Because Oobe has been interrupted, you did not get a chance to configure the network.Click on Start > type services > <enter>. In the list, find the Network List Service, right click, choose Properties, set it to Automatic and apply, then start the service. This will give you internet connectivity immediately if you are on a wired connection and after you specify security parameters (ssid, encryption type, password) if you are using a wireless one.

2. System configuration: Boot options

Vista's boot manager stores drive signature and partition number and relays on this information for subsequent boots. Unfortunately some actions, like cloning and reimaging, will change that information and lead to a "winload.exe not found" error at boot.

Sysprep, which we will use later, "generalizes" the information in the boot manager, but we might want to image the OS before applying sysprep, so I usually start by running the following script to tell the boot manager that "whatever device/partition I booted from, that's the device/partition I want to use" (copy and paste in notepad, save as bootedit.bat). We will also include this script in the actions to be taken when the new image is deployed on a new PC.

bcdedit /set {bootmgr} device boot

bcdedit /set {default} device boot

Save the file in C:\Windows\Setup and double click to run. The settings will be applied next time you boot the system.

bcdedit /set {default} osdevice boot

bcdedit /set {memdiag} device boot

Another feature that is known to cause compatibility issues is DEP (Data execution prevention). DEP can be disabled by adding another line to the above script:

bcdedit /set {current} nx AlwaysOff

Last line to the above script will re-enable PAE (Physical Address Extension) which was disabled when disabling DEP:

bcdedit /set PAE ForceEnable

Next week: explorer, defender and desktop settings.

How to configure a reference PC that once imaged can be deployed to multiple PCs

Overview

Requirements
• An x86 or x64 based computer running Windows XP SP2, Windows Vista, or Windows Server 2003 SP1 operating system. This will be the machine where WAIK gets installed and various files created.
• A PC where windows Vista is to be installed. Can be a virtual machine. Should have internet/network connectivity, preferably wired. This will be the reference PC
• CD/DVD burner and CD/DVD burning software, one blank CD, one blank DVD
• Windows Automated Installation Kit (AIK)
• Windows Vista install DVD

Assumptions
• These instructions are based on the Ultimate or Business versions of Vista
• These instructions assume a clean install of Vista
• means press the Enter key
• You know how to open an elevated command prompt in Vista and perform simple file operations like copy/paste, find a specific location in Explorer…..

Steps
• Install and configure Windows Vista along with any needed applications on a reference PC.
• Prepare the reference PC for imaging.
• Install WAIK on the work PC
Download, change the .img ending to .iso and either mount in a virtual CD drive on the work PC, or burn to a CD and install. Leave all settings to default.
• Create a Sysprep.xml file that will automate the configuration of Windows Vista.
• Run Sysprep.exe on the reference PC to "prep" the Vista installation for imaging.
• Create a WinPE 2.0 CD
• Boot the sysprepped PC with a WinPE CD and capture an image of the hard drive.
• Save the image to a removable media.
• Apply the saved image to other PCs.

On first boot up of the newly imaged PCs, mini-setup, using sysprep.xml, will run and auto-configure Windows Vista.

In following posts I will detail each of these steps.