Chapter 6: Windows Disk Protection

  • Article

The Windows Disk Protection tool protects the Windows operating system and program files from being permanently changed on a Windows partition. During a session, a user can make changes as necessary within the bounds of any restrictions placed on the user. When the computer restarts, Windows Disk Protection returns the Windows partition to its original condition, discarding any changes made during the user session.

This tool helps protect computers from users who might attempt to damage the operating system, and it also prevents malware and spyware from tampering with the computer.

Definition malware
Malicious software, which includes viruses, worms, and Trojan horses, that is designed to harm a computer operating system.

Definition spyware
Potentially unwanted software that may collect personal information and is inappropriate for shared computers.

Each time the computer restarts, Windows Disk Protection returns the partition that holds the Windows and program files (called the Windows partition) to its original state. This provides the next user with a standard and reliable experience.

Important Important  
Before you turn on Windows Disk Protection, be sure that you have correctly prepared the disk and created, customized, and restricted the required user profiles as discussed in the previous chapters.

Bb457134.3squares(en-us,TechNet.10).gif

On This Page

Turn On Windows Disk Protection
Save Changes When Windows Disk Protection Is On
Retain Changes When Windows Disk Protection Is On
Retain Changes Indefinitely When Windows Disk Protection Is On
Improve the Performance of Windows Disk Protection
Manage the Protection Partition

Turn On Windows Disk Protection

The default behavior of Windows Disk Protection is to clear disk changes made to the Windows partition with each computer restart, thereby protecting the disk from unwanted changes. Operators can at any time choose to save changes made to the disk. Operators can also schedule Windows Disk Protection to download, install, and save critical updates to disk automatically while the computer is not in use.

Note Note  
For best disk performance, defragment your Windows partition prior to turning on Windows Disk Protection. Do not defragment the disk when Windows Disk Protection is on.

To turn on Windows Disk Protection and schedule critical updates

  1. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click Windows Disk Protection. Restart the computer if requested and then start Windows Disk Protection again.

  2. In the Restart Action section, click Keep On. If this is the first time you have used the Shared Computer Toolkit, Windows Disk Protection creates the protection partition. The computer requires a restart to complete the initialization process.

  3. After the restart, return to Windows Disk Protectionto complete the configuration.

  4. If Windows Disk Protection identifies antivirus software it knows how to update, it displays a dialog box to this effect. If you see this dialog box, click OK.

  5. If Windows Disk Protection did not detect your antivirus software, click Set to specify an antivirus script you have created. You can configure other update scripts as needed to manage updates for third-party programs.

  6. In the Critical Updates section, configure the day and time at which Windows Disk Protection should download and install critical updates.

  7. For Microsoft Updates, Click Enabled to enable critical Microsoft updates.

  8. Click OK.

  9. Windows Disk Protection displays a message that states that the computer must be restarted for the changes to take effect. Click Yes to restart the computer.

Important Important  
Do not attempt to change any partition after Windows Disk Protection is turned on because it tracks physical disk and partition numbers and they must not change. If you must change partitions, turn off Windows Disk Protection and delete the protection partition before making any partition changes.

Figure 6.1 The main screen of the Windows Disk Protection tool

Figure 6.1 The main screen of the Windows Disk Protection tool

The default setting for Windows Disk Protection is to Clear changes with each restart. This option ensures that untrusted users and malware cannot save any disk changes to the Windows partition of the computer. When the computer restarts, all disk changes that were made are removed, and the computer returns to its previous state.

The Restart Option will not become available to change until after the computer has been restarted with Windows Disk Protection turned on. This ensures that Windows Disk Protection is started with the default settings.

Note Note  
Services, such as event logging, that usually write to the Windows partition will not be able to permanently record log entries because new entries will be lost when changes are cleared. To keep event logs, consider moving them to a persistent volume. This process is covered in the “Improve the Performance of Windows Disk Protection” section later in this chapter.

Hibernation and Windows Disk Protection

If hibernation is enabled on your system when you turn on Windows Disk Protection, you will receive a message that indicates that hibernation does not work with Windows Disk Protection.

When a system hibernates, it writes the contents of the system RAM to a file on the disk. Because modifications to the Windows partition are cleared when Windows Disk Protection is on and set to Clear changes with each restart, hibernation will fail.

To disable hibernation, open Control Panel, double-click Power Options, click the Hibernate tab, and then clear the Enable hibernation check box.

Windows Disk Protection Status

When Windows Disk Protection is on and Getting Started is not configured to run automatically, a popup called Disk Protection Is On will appear when you log on as the Toolkit administrator. This popup provides a convenient way to open Windows Disk Protection when you have to save changes to disk.

Figure 6.2 The Disk Protection Is On popup

Figure 6.2 The Disk Protection Is On popup

If you want to stop this popup from appearing, delete the Check Windows Disk Protection shortcut from the Toolkit administrator’s Startup folder.

Critical Updates

When you turn on Windows Disk Protection, it will continue to install Microsoft critical updates using the Automatic Updates schedule you may have configured previously. It will use Microsoft Update, Windows Update, or Windows Server Update Services, depending on which of these is currently used by Windows. (Software Update Services is not supported.) You can enable or disable Microsoft Updates and set the schedule to suit your needs when you turn on Windows Disk Protection.

When Windows Disk Protection downloads and installs critical updates, it will log off the active user, restart the computer to clear disk changes, and temporarily disable local user accounts to prevent unapproved disk changes from being saved at the same time. After downloading and installing the updates, it will set Windows Disk Protection to Save changes with next restart and then restart the computer.

In addition to being able to save Microsoft critical updates automatically, Windows Disk Protection allows a script you select to save antivirus updates and updates for other programs.

Alternatively, you can schedule antivirus updates through the graphical interface your antivirus product provides. Schedule the updates to occur at the exact same hour and day(s) as the schedule you select for critical updates in the Windows Disk Protection tool. The Windows Disk Protection critical updates process will wait at least 10 minutes for other updates to be completed concurrently before it restarts the computer to save disk changes.

Windows Disk Protection will offer to perform antivirus updates automatically as part of the critical updates process if it detects an antivirus product it knows how to update. The Toolkit currently detects and includes scripts for updating the following antivirus products:

If you have another antivirus product, you might want to prepare a signature update script for it as described in your antivirus software manual. Look for sections that describe the command-line tools that perform signature updates.

Check the Microsoft Windows Shared Access newsgroup to see if anyone else has already created a signature update script for the antivirus software you have.

Note Note  
For more information about the Windows Disk Protection critical updates process, see Appendix A, “Technical Primer.”

Other Updates from Microsoft

Windows Disk Protection only automates critical updates from Microsoft—it does not automatically install recommended updates, optional updates, driver updates, or special updates that may have their own license agreements. Review the updates available on Microsoft Update periodically, download and install the ones you want, and then use the Windows Disk Protection tool to save changes to disk.

Save Changes When Windows Disk Protection Is On

When Windows Disk Protection is on, you must take special actions to make permanent changes to the disk. Such changes include installing a program, modifying the registry, adding a user account, or configuring system settings for users.

Important Important  
Restart the computer once before you change the Windows Disk Protection restart option to clear all past changes that you might not want to keep.

To install a program when Windows Disk Protection is off, log on to the computer as the Toolkit administrator, install the program, and then make sure that the program shortcut appears on the appropriate Start menus. When Windows Disk Protection is on, these disk changes must be saved within the Windows Disk Protection tool.

Sometimes, you need to make a permanent disk change. Although you could accomplish this by turning off Windows Disk Protection long enough to install the program, this action requires that you remember to turn on Windows Disk Protection after you finish installing the program. A faster approach is to use Save changes with next restart, as described in the following process.

To make changes when Windows Disk Protection is on

  1. Restart the shared computer to ensure recent disk changes are cleared.

  2. Log on as the Toolkit administrator.

  3. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click Windows Disk Protection. Alternatively, you can click the Open Windows Disk Protection link in Step 7 of Getting Started. A shortcut is also included in the Quick access section near the top of the Getting Started window.

  4. Click Save changes with next restart, and then click OK. A restart will not occur at this time.

  5. Make the required changes (such as installing software or changing a user profile) to the shared computer and then restart the computer.

  6. When the computer restarts, Windows saves your changes to the Windows partition and automatically returns to Clear changes with each restart.

Retain Changes When Windows Disk Protection Is On

In some situations, users might need to install a program or make system changes that you want to test or do not want to keep on the computer permanently—yet a restart is required.

Important Important  
The Retain changes for one restart option remains in effect for only one restart. When the computer completes the restart, the tool will return to the default restart option: Clear changes with each restart.

To retain changes temporarily when Windows Disk Protection is on

  1. Restart the shared computer to clear past disk changes.

  2. Log on as the Toolkit administrator.

  3. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click Windows Disk Protection.

  4. Click Retain changes for one restart and then click OK to exit the tool.

  5. Make the changes that you want, and then restart the computer.

  6. Allow the user to log on and use the computer.

  7. After the user session, you can restart the computer again to undo changes to the Windows partition and automatically return to Clear changes with each restart. Alternatively, you can choose to Save Changes with next restart.

The above approach can also be used to perform a CHKDSK of the Windows partition, which requires a restart of the computer.

Important Important  
If you plan to use the Retain changes indefinitely option for extended periods of time, Windows Disk Protection will require more unallocated disk space. The protection partition should match the size of your Windows partition to run this way indefinitely.

Retain Changes Indefinitely When Windows Disk Protection Is On

This option allows operators to accomplish tasks that can involve installing and testing several new programs. After you click Retain changes indefinitely, changes will continue to accumulate on the computer until you click Save changes with next restart or Clear changes with each restart.

The Retain changes indefinitely option can be particularly useful if you need to install several new programs. For example, after this option is enabled, you can install a new program, test it for potential compatibility issues with the other programs on the computer, and then move on to installing other programs before clearing or saving all disk changes.

Improve the Performance of Windows Disk Protection

Ways to improve the performance of Windows Disk Protection include defragmenting the disk when Windows Disk Protection is turned off and eliminating unnecessary disk writes by moving the virtual memory paging file and event logs to a persistent partition.

These activities are entirely optional and are intended for operators with a high level of expertise managing Windows XP.

Defragment the Windows Partition

You can optimize disk performance on the Windows partition if you defragment the partition before you turn on Windows Disk Protection. You should not need to defragment the Windows partition often after this. Although the installation of critical updates and program fixes will add a negligible amount of fragmentation, the disk should not require a subsequent defragmentation pass.

Do not defragment the Windows partition when Windows Disk Protection is on. Turn off Windows Disk Protection to defragment the disk.

To defragment the Windows partition

  1. Turn off Windows Disk Protection.

  2. Restart the computer to complete the deactivation of Windows Disk Protection.

  3. Use the Windows Disk Defragmenter or a third-party tool to defragment the Windows partition.

  4. Turn on Windows Disk Protection and then restart the computer.

Move the Virtual Memory Paging File

The virtual memory paging file is the file that holds parts of programs and data files that do not fit in memory. Windows XP stores this paging file in the Windows partition by default. Writing data to a paging file located on the Windows partition can dramatically reduce system performance.

By moving the paging file off the Windows partition to a persistent disk, you allow the system to optimize its use of the protection partition.

To move the paging file to a persistent disk

  1. Configure Windows Disk Protection to Save changes with next restart.

  2. Click Start, right-click My Computer, and then click Properties. The System Properties dialog box opens.

  3. On the Advanced tab, under Performance, click the Settings button.

  4. In the Performance Options dialog box, click the Advanced tab.

  5. In the Virtual memory section, click Change.

  6. In the Virtual Memory dialog box (as shown in the following figure), in the Drive list, click the disk that holds the Windows partition and then click No paging file to remove the paging file from that disk.

  7. Click Set to apply these settings.

  8. In the Drive list, click a disk on a persistent partition, and then click System managed size to configure Windows to allocate space on that disk for a paging file.

  9. Click Set to apply these settings.

  10. Click OK to save the paging file settings. You will receive a message that settings will not be changed until the computer restarts. Click OK to close the dialog box and then click OK to close both the Performance Options dialog box and the System Properties dialog box.

  11. Click Yes when prompted to restart the computer and save the settings change.

    Figure 6.3 Placing the paging file on a persistent partition can optimize performance

    Figure 6.3 Placing the paging file on a persistent partition can optimize performance

Placing Event Logs on a Persistent Partition

Entries made to system and application event logs stored on the Windows partition will be lost each time the system restarts when Windows Disk Protection is on. For this reason, it may be worthwhile in your environment to move the event logs to a persistent partition. You can accomplish this by making a registry modification as described in the following procedure.

To move the location where event logs are stored

  1. Restart your computer to clear any pending changes to the Windows partition.

  2. Open the Windows Disk Protection tool and configure Windows Disk Protection to Save changes with next restart.

  3. Open the Registry Editor and modify the paths saved in the following registry keys:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\

  4. Change the paths listed in the File key to a location on a persistent partition on your computer.

  5. Close the Registry Editor and restart your computer to save the configuration changes.

Manage the Protection Partition

Windows Disk Protection functions very well for its intended purpose when configured according to the instructions in Chapter 2, "Prepare the Disk for Windows Disk Protection." Occasionally, however, it may become necessary to control the configuration of Windows Disk Protection more closely. This section describes how to use a second disk to contain the protection partition—a useful option on computers that have a nearly filled primary disk—and describes a procedure for managing the size of the protection partition.

These activities are entirely optional and are intended for operators with a high level of expertise managing Windows XP.

Place the Protection Partition on a Different Disk

The Windows Disk Protection preparation process described in earlier chapters assumes the use of a single disk drive. At times it is not feasible to use an existing disk drive, either for space considerations (the drive is nearly full) or because some other prerequisite is not met. In this case, you can use a second disk drive to store the protection partition so that Windows Disk Protection can still be used.

The following prerequisites must be satisfied for Windows Disk Protection to create the protection partition on the second disk:

  • The first disk does not have enough space to support a protection partition.

  • The second disk has a primary partition.

  • The second disk has sufficient unallocated disk space after the primary partition to contain the protection partition.

The process of placing a protection partition on a second disk involves installing a second disk, formatting a primary partition (remember that the protection partition must follow a primary partition), and configuring the Windows Registry to allow use of the second disk as the protection partition.

Note Note  
The second disk used in this scenario must meet the other prerequisites for Windows Disk Protection. It must not have more than three primary partitions or must have sufficient free space available in an extended partition.

To use a second physical disk with Windows Disk Protection

  1. Install a second physical disk into your computer.

  2. In Disk Management, create a primary partition at the beginning of the new disk.

  3. Start the Registry Editor. Locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Computer Toolkit

  4. Change the value of SCTForceOverlay to a size in bytes that is smaller than the unallocated disk space on the second disk.

    For example, to create a 3-GB partition, use 3145728 for the value of SCTForceOverlay (3 * 1024 * 1024 = 3145728).

  5. Open the Windows Disk Protection tool. Windows Disk Protection will discover the available space on the second disk and configure the protection partition when it is turned on.

If you want to change the protection partition location afterwards, uninstall and reinstall the Toolkit and repeat the protection partition creation process.

Specify the Size of the Protection Partition

You can create a protection partition of a specified size by using the SCTForceOverlay registry setting mentioned in the previous procedure. This works for either the first disk or the second disk. It is useful when you want to control the size of the protection partition.

The following two prerequisites must be satisfied for Windows Disk Protection to create the fixed-size protection partition on the disk:

  • The disk has a primary partition.

  • The disk has sufficient unallocated disk space to contain the fixed-size protection partition.

To create a fixed-size protection partition

  1. Start the Registry Editor. Locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Computer Toolkit

  2. Change the value of SCTForceOverlay to the size you want to use for the protection partition.

    For example, to create a 2-GB partition, use 2097152 for the value of SCTForceOverlay (2 * 1024 * 1024 = 2097152).

  3. Open the Windows Disk Protection tool. Windows Disk Protection will discover the available space on the disk and automatically configure the protection partition.

If the disk is ever reverted to an unprotected state, you can reverse these settings by changing the SCTForceOverlay value to 0 or by uninstalling and reinstalling the Toolkit.