How to Troubleshoot Apps for the Modern Connected Worker
Windows 8 Client Part 1 "The OS internals for IT-Pro's"
1. Windows 8 Client Part 1
"The OS internals for IT-Pro's"
Tom Decaluwé
Infrastructure Manager
Contact me:
Macintosh Retail Group tom@decaluwe.eu
http://trycatch.be/blogs/decaluwet
2. Windows 8 slow adoption
- Touch UI
- Different
- Disruptive leap
- Bad economical times
- We just migrated to Windows 7
- Apple is better
- Lack of “devices”
- Lack of “time” for IT pro’s
Keala group
17. How it differs from a normal pc
• Internal disks disabled
• TPM not used => replaced with pre-operating system
boot password
• No hibernation
• No Recovery Environment
• No Push button reset
• Disabled windows Store
• No MAK activation
You have limited hard disk space, like SSD but worse ;-)
19. Computer roaming
Windows uniquely identifies computers based on constant characteristics of the machine
firmware -SMBIOS UUID if present or certain SMBIOS strings
This ID is used to ensure when Windows returns to a computer, only the necessary set of
drivers are loaded
When roaming to a new computer drivers are installed on the first boot, similar to the first time
you boot a generalized Windows image
System Partition - Boot Files Operating System Partition -
Apps, Data, Settings
• FAT32 File System
• 300MB • NTFS File System
• Legacy Boot Manager
(Bootmgr)
• UEFI Boot Manager
(Bootmgfw.efi)
20. Boot Disk Removal
Boot disk removal is detected by the USB stack
The kernel freezes the system
The stack will wait 60 seconds for the boot disk to return
and then power down the system
If the boot disk is returned, the system will resume
Put it back in the same USB port
22. Quick DR
Keep all personal data, Metro style apps,
and important settings from the PC, and
reinstall Windows.
Remove all personal data, apps, and
settings from the PC, and reinstall Windows
Recovery Environment
23. Reset you PC
Remove everything and start from scratch
1. Win RE - Boots into the Windows
Recovery Environment
2. Win RE - Erases and formats
3. Win RE - Installs a fresh copy
4. PC restarts into the newly installed
OS
24. Refresh your PC
Fix a problem with your computer
It’s a reinstall without losing your data,
settings, and Metro style apps
1. Boots into Windows RE
2. Win RE scans the hard drive for your data, settings, and apps, and puts
them aside (on the same drive).
3. Win RE installs a fresh copy of Windows.
4. Win RE restores the data, settings, and apps,
5. The PC clean boots
25. Kept or removed?
Kept Removed
• Wireless network connections • File type associations
• Mobile broadband connections • Display settings
• BitLocker and BitLocker To Go • Windows Firewall settings
settings • Classic apps
• Drive letter assignments
• Personalization settings such as
lock screen background and
desktop wallpaper
• Metro apps (not the classic apps)
26. Include the apps
Refresh from a previous state
mkdir C:RefreshImage
recimg -CreateImage C:RefreshImage
30. Bios vs UEFI boot speed
Explorer Ready
Windows 7 Service & App
POST OS Initialization
Initialization
Explorer Ready
Windows 8 POS Service &
T App Init
Device
Initialization
Hiberfile Read
(Session0)
End-users judge their pc performance according to boot speed
31. Power -> logon
Seamless single graphics transition
Post with highest supported native from firmware to native OS driver
resolution
Clean, high-resolution branding elements
persist through OS boot
User View OEM OEM
Logo Logo
Boot Phase Device
POST Hiber Resume Explorer Init.
Init.
Seconds 2s 4s 6s 7s
32. How to shutdown
Shutdown => system
kernel hibernate
Restart => full restart
null boot
shutdown /s /full /t 0 => force full shutdown without hibernate file
34. UEFI secure boot
“Protects against bootkits by verifying the boot loader before loading”
Step1:
MS creates a signature of the boot loader and pre-stages it onto PC’s
MS
RSA2048 key pair
Priv Pub
Boot loader Hash sig
SHA256 Encrypt
35. UEFI secure boot
Step2:
UEFI firmware database are pre-staged on Windows 8 logo devices
• db: sig database, keys you trust
• dbx: forbidden signature database,
blacklist a loader or key
• KEK: key exchange keys, to update db or
dbx
• PK: platform key => to update KEK
For windows 8 certified devices they must adhere to the hardware certification requirements => KEK and
DB must contain a Microsoft key, secure boot must be enabled out of the box.
36. Measured boot
Creates a log with hash of
everything that was loaded
BIOS Hash of next item(s)
Boot
loader
Kernel
Kernel initializes ELAM can look at the hashes of the drivers and decide
Early
Early
to load yes/no before loading early drivers into memory
Early
Drivers
Drivers
Drivers
37. Remote Attestation
Allow a boot log to be evaluated and enforce a policy
Measured
boot log
Client Attestation
Server
TOKEN
38. All 3 components
UEFI
POST
Win8
Boot loader
Measured
boot log Attestation
Windows server
ELAM
Kernel
Anti-
3rd party Windows
TOKEN
Malware
software logon
software
40. Connected Standby
Screen On Screen Off Shutdow
n
(Active) (Connected
Standby) User not
User present
present,
and using
User not present, no context
device
still connected saved
New Windows power state
The PC’s screen is off, but the device remains in a very low idle state
The network adapter maintains a connection to the network
Metro style apps continue to receive live tile updates and toast notifications
Background Tasks and Push Notifications enable customers to receive real-time
communication via apps such as email, IM and VoIP
43. App model for connected standby
App model is right by design for power
Apps are suspended when the computer enters Connected
Standby
Apps may register background activity in Background Tasks
Notifications API allows suspended apps to handle
incoming events from the cloud
Pattern matching and wake used for push notifications and
real-time apps
47. Checkdisk
Win7
Only two states Fix corruption with a minimum of downtime
- Volume is healthy
- Volume is not healthy => volume goes offline ReFS => no longer requires fixing offline
Fix time was directly related to #files on the volume
A disk has 2 health states
A disk has 4 health states
50. BitLocker
- Support Encrypted Hard Drive to offload cryptography to disk processor
- BitLocker Pre-provisioning in WinPE environment
- Used space encryption
- Standard user PIN change
- Network Unlock
53. Client Hyper-V
- Same technology as Windows Server 2012
- Requirements
- 64-bit system
- SLAT (second level address translation)
- 4 GB RAM
* We are missing seamless apps
-> Software => new interface andapp model enablesbusinessestocreatetheirown lob appsto help improveproductivity-> The operating systems is faster, more reliableand more secureHardware makers delivered 90 million PCs in Q4 2012
-> Software => new interface andapp model enablesbusinessestocreatetheirown lob appsto help improveproductivity-> The operating systems is faster, more reliableand more secure
The reason for this is that in Windows 7, the upgrade process preserved the customer’s applications in the Program Files folder and their files in the Users folder by moving each file to a transport location (so that the original folders can be deleted to make way for the newer installation), and then moving them back again to complete the installation. With music and photo collections, it’s not unusual to have hundreds of thousands of files, so even relatively fast move operations can really add up.Simplifying the transport In Windows 7 the transport (this is the place where we store the files and settings being preserved between the old and new operating systems) was comprised of two folders: “Windows.~q” and “Windows.~tr”. In Windows 8 we have simplified this to just one folder. We have repurposed the “Windows.old” naming convention for consistency with clean install (which creates a “Windows.old” folder containing the previous OS in order to be able to roll back should the installation fail). Merging the transport folders into the single Windows.old folder speeds up the upgrade process, as it removes the need to move files between the ~tr and ~q folders.Switching to hard links In upgrades to Windows 7, files were moved between the old OS, the transport, and Windows 7 by using file move operations. In upgrades to Windows 8, we use hard link operations instead. This means we can link to the actual data on disk in the transport location without having to physically move the file, which has a significant performance gain. And if something goes wrong with setup and we have to roll back, we just need to delete the hard links, and the files are completely unaffected on disk.
What isit? It’s a full no compromis pc on a memory stick
■■ Offline internal disks When booted into a Windows To Go workspace, internal harddisks are disabled by default. The Windows To Go workspace completely disassociatesitself from the other drives in a machine. This minimizes the risk of unwantedmanipulationof either device as well as data leakage.■■ Absence of Trusted Platform Module (TPM) Traditionally, BitLocker isimplementedusing the TPM integrated hardware. Because the TPM is linked with aspecific computer, it cannot be used with Windows To Go because it can be used onmultiple computers. To replace TPM for a Windows To Go workspace, a preoperatingsystem boot password is used for security.■■ Disabled hibernation Hibernation has been disabled by default to maximize aworkspace’s versatility to move between machines. If a machine is in hibernate, a usermight remove the USB media, thinking the computer is turned off.■■ Removed Windows Recovery Environment In a Windows To Go workspace, theWindows Recovery Environment is not available. In the event that a recovery is needed,re-image the drive.■■ Disabled Push Button Reset This feature was disabled due to the nonsensicalnatureof resetting to the manufacturer’s standard for a computer while runningWindowsTo Go.■■ Disabled Microsoft Store The Windows store uses hardware identification forlicensing purposes. For this reason, the Windows Store is disabled on Windows To Go.If the Windows To Go workspaces will not be moving to multiple computers, the storecan be re-enabled.■■ Absence of Multiple Activation Key (MAK) method The MAK activation methodis not supported for Windows
Windows To Go can be configured to boot on both UEFI and BIOS computersBoth sets of boot components are placed on a FAT32system partition
Boot a PC from the USB stick + play a movie + remove the USB stick
Thoroughly => clean whipe, option will write random patterns to every sector of the drive, overwriting any existing data visible to the operating systemQuick => ETA 6minThorough => ETA 23min
Unlike manually reinstalling Windows, you don’t have to go through the Windows Welcome screens again and reconfigure all the initial settings, as your user accounts and those settings are all preservedETA => 8 min
we deliberately chose not to preserve the following settings, as they can occasionally cause problems if misconfigured:File type associationsDisplay settingsWindows Firewall settings
Install a metro appand a non metro app + refresh the pc => show the existingapp is stillthere, the legacyapp is listerd in the TXT file.
2,2TB max boot MBRhttp://en.wikipedia.org/wiki/Master_boot_recordFASTERThe ExperienceLong Bios boot + difficult to get to the functionsSecurity risksVGA dependency = low resolutionBoot disk size limit 2,2 TB (MBR)
Bios standardsince 1980
BIOS issues:- Time delay at POST - Boot Kit threats- Lots of <Fn> key options at boot- Confusing OS boot menus- No connection between OS and BIOS boot menus- BIOS menus circa 1980- Boot disk size limited to 2.2TBPost mustbe long to show logo’s and have x secondsfor the FunctionkeysOS initialisation takes long as kernel, drivers,... NeedtoberestartedServices & app, all the appsneedtocome back online.Win8 hiberfile is a hibernation of Session0
http://www.youtube.com/watch?v=35D0_feZnK8Secure Boot does not require a Trusted Platform Module (TPM).Youcannotjust update dbanddbx => they are protectedfrom editing via the KEK. An update on dbanddbxneedstobesignedby a key in the kek. To update the kek the update must besignedbysomething in PK.PK is pre injectedduring Setup mode byvendorAllcoponents are bakedinto a machine
http://www.youtube.com/watch?v=oiqcog1sk2EIs a boot loaderand os feature thatuses TMP to keep a record of early boot components as they load, Starting at Bios/Uefi => beforeach next component in the boot sequence is loaded the previouscomponentscomputes the hash of the next component and stores it in the TPM into the PCR’s of the TPMBios hash of bootloader (bootmanger.exe) => hands off to bootmanger.exe thathasheswinload,exe or winresume.exe => launch the kernal => the kernal loads the early drivers into memory andbeforeitinitialises the early boot drivers itinitilises ELAM that scans the drivers beforethey load.
http://mbt.codeplex.com/http://www.youtube.com/watch?v=oiqcog1sk2EA TPM based feature, itallows a boot log tobeevaluatedby a remote system andcanallows a policy beevaluatedClient boots andcreates log, Log signedwithyourtpmkey, the log is sent to remote system forverification, the remote server thansends a token back. The clientcanthensendthis token onwardsand say i’m clean
Awindows 8 will have 3 types of statesOnConnectedstandbyOffYouwillhardly ever go to the shutdown state on a connectedstandby device.Whenyoususspend the system there is a very short time where the appscan save their state.
Win 7 PCDimm display at 60 secTurn off display after 120 minutesSleep state after 180 seconds S3-mode => nothinghappens no connectivityPhone180 seconds screen offIdle time has small pieksbursts of stuff happening, cellconnecting, sms,...
Graph 1 => win7with screen off => 15,6 ms timer tickGraph 2 => win8 connectedstandby > rarand well structured power usageThe cpuonlywakeswhen i has something “important” to doWindows 8 connected standby requiresNon-rotational boot volumeWiFi device supports NDIS 6.3 features (D0 offload, Wake on Push, etc.)ACPI 5.0 flag indicating low-power S0 over S3
Its logical capacity is listed as 10TB although the underlying physical disks in the pool have only 4TB of total raw capacity. As a result, you no longer need to worry up-front about the size.Resiliency is built in by associating the mirrored attribute, which means that there are at least two copies of all data contained within the space on at least two different physical disks. Because the space is mirrored, it will continue to work even if one of the physical disks within the pool fails.
Create a storage space on the home computer
We developed a new method of communication that describes types of corruptions as “verbs” that act upon the key components and points of the design – the file system driver (NTFS), the self-healing module, the spot-verification service, and the chkdsk utility. All file system corruptions are classified as needing one of 18 different “verbs” that we’ve defined in Windows 8. We have also left room for possible new verb definitions that can help us diagnose issues even better in the future.Online and healthy – In this state there are no detected file system corruptions and there is no action required of you. The file system remains in this state most of the time.Online spot verification needed– The file system stays in this transient state only for a brief instant after the file system finds a corruption that it cannot self-heal; it puts the volume in this state until the spot verification service verifies the corruption. Again, there is no user action required.Online scan needed– When the spot-verification service confirms the corruption, it puts the file system in the “online scan needed” state. In the next maintenance window, an online scan is performed; there is no user action required. This state is reflected in the Action Center, so you can run the scan manually if you want to do that before the next maintenance window. The scan is run as a background operation, which means that you can continue using the computer while the scan is performed. During this online scan, all verified issues and fixes are logged for later repair. On Windows Server 8 systems, idle time is determined by monitoring the CPU and storage idle times.
Online and healthy – In this state there are no detected file system corruptions and there is no action required of you. The file system remains in this state most of the time.Online spot verification needed– The file system stays in this transient state only for a brief instant after the file system finds a corruption that it cannot self-heal; it puts the volume in this state until the spot verification service verifies the corruption. Again, there is no user action required.Online scan needed– When the spot-verification service confirms the corruption, it puts the file system in the “online scan needed” state. In the next maintenance window, an online scan is performed; there is no user action required. This state is reflected in the Action Center, so you can run the scan manually if you want to do that before the next maintenance window. The scan is run as a background operation, which means that you can continue using the computer while the scan is performed. During this online scan, all verified issues and fixes are logged for later repair. On Windows Server 8 systems, idle time is determined by monitoring the CPU and storage idle times.
Online self-healing: The NTFS self-healing feature was introduced in Windows Vista (and in Windows Server 2008) to reduce the need to run chkdsk. Self-healing is a feature built into NTFS that fixes certain classes of corruptions encountered during normal operation, and can make these fixes while still online. If all issues that are detected are self-healed online, there is no need for an offline repair. In Windows 8 we increased the number of issues that can be handled online and hence reduced any further need for chkdsk.Online verification: Some corruptions are intermittent due to memory issues and may not be a result of an actual corruption on the disk; so we added a new service to Windows 8, called the spot verification service. It is triggered by the file system driver and it verifies that there is actual corruption on the disk before moving the file system along in the health model. This new service runs in the background and does not affect the normal functioning of the system; it does nothing unless the file system driver triggers it to verify a corruption.Online identification and logging: When an issue is verified, this triggers an online scan of the file system, which runs as a maintenance task in the file system. In Windows 8, scheduled tasks that are for the maintenance of the computer run only when appropriate (during idle time, etc.). This scan can run as a background task while other programs continue to run in the foreground. As the file system is scanned, all issues that are found are logged for later correction.Precise and rapid correction – At the user or administrator’s convenience, the volume can be taken offline, and the corruptions logged in the previous step can be fixed. The downtime from this operation, called “Spotfix,” takes only seconds, and on Windows Server 8 systems with cluster shared volumes, we’ve eliminated this downtime completely. With this new model, chkdskoffline run time is now directly proportional to the number of corruptions, rather than being proportional to the number of files as in the old model.
http://www.windowsitpro.com/article/security/bitlocker-windows-8-142661Administrators can enable BitLocker pre-provisioning from the Windows Preinstallation Environment (WinPE) by using the Manage-bde BitLocker command-line utility. WinPE is a lightweight Windows environment that is used for installing the Windows OS. For example, to pre-provision BitLocker on your F drive, type the following Manage-bde command at a WinPE command prompt: manage-bde -on f:Network Unlock works like the TPM plus startup key unlock method. Instead of reading a startup key from a USB medium, Network Unlock uses an unlock key. This key is composed of a key that is stored on the machine's local TPM and a key that Network Unlock receives from a Windows 8 Windows Deployment Services (WDS) server on the trusted network. If the WDS server is unavailable, then BitLocker displays the standard startup key unlock screen
New Defrag tool Now supports SSD bydoing a doing “Trim Hints”, allows the OS totell the drive hardware thatit’snotusingcertainareas of the flash. The drive then issues a reclaimto free that areaSSD Their disadvantage is that they have a finite amount of write entries available to them over the life of the drive itself. Defragmentation involves moving lots of data to different places on the surface of a drive, so it follows that the process itself is very write-intensive. Thus, consistent and periodic defragmentation can negatively affect the life of a drive.http://www.corsair.com/blog/how-to-enable-trim-support-for-your-ssd/Since a memory block must be erased before it can be re-programmed, TRIM improves performance by pro-actively erasing pages containing invalid data, allowing the SSD to write new data without first having to perform a time-consuming erase command. Since a memory block must be erased before it can be re-programmed, TRIM improves performance by pro-actively erasing pages containing invalid data, allowing the SSD to write new data without first having to perform a time-consuming erase command.