Monday, February 17, 2020

Windows 10 Administrative Accounts

How To:  Build a Windows 10 Administrative Account - demote your normal account to a "loser account."

Synopsis:
Steps to convert your normal, daily Windows 10 User Account to a "Standard Account"  (a non-administrative account, a non-elevated account).  This helps prevent Malware from installing and protects the machine from inadvertent changes from other family members.

Use the administrative credentials for system-wide changes.  Use your "loser" account for day-to-day work.  This follows best practice at Microsoft, at most corporations, and at schools.  I use this technique on all of my computers, even for my own account!  I would especially do this on children's computers.


When malware installs, Windows prompts for permission using a UAC prompt (commonly called the Nag), asking for permission to install the software.  Viruses present themselves by enticing the victim with a game or some other program of interest.  Most people see the UAC nag screen and click "Allow," without thinking.   You've probably done this yourself.  In other words, you have given the virus permission to install, not realizing the payload.


This article replaces an older Windows 7 article:  Secure PCs from Offspring.


Administrator vs Standard Users


With a non-administrative account, attempts to install software, or to change internal Windows settings are challenged with a user-id and password ("credentials").  This slows-down the automatic "ok."  If they does not know the administrative password, they cannot make the change without assistance (my children, my parents).  This essentially locks the PC from most changes.




The Setup

Follow these steps to enable an Administrative account.

Important:  Before doing these steps, a new Administrator account must be built before converting your existing account to a "loser" account.  (More than one administrator's account can be created, but this is not needed.)

1. Build an Administrator Account:

Using your current (presumably) Administrator Account (your normal login-credentials)

a.   In the Start Menu's Search box, search for "Control Panel"
      Open "User Accounts"
      Select "Manage another Account"

Click for larger view
b.  Click "Add a user account"

c.  at "How will this person sign-in"

    ! Do not enter an email address

    Instead, click "Sign in without a Microsoft account (not recommended)"
       - But this is recommended. 
         The local account will never be used outside this machine.

    Update: As of 2020.02, Microsoft has hidden the "Sign in without a Microsoft Account"
                 option, depending on which Microsoft Update has been applied. 

                 If this option is not available, do one of the following to disconnect from
                 the Internet while this account is being built:

                 * If a laptop on Wireless, switch to Airplane Mode while building this account
                 * If Desktop on Wired, unplug the Ethernet cable
                 * If Desktop on Wireless, click lower-right Wireless icon and disable Wireless




d.  At the second prompt, again select "Local Account"



e.  Set the User-Name to "Administrator"  (recommended, not required)
     Set the password and password hint.

If this is your personal machine, consider setting the password to the same password used for your normal login - one less thing to remember.  It goes without saying, don't forget this password


f.   Click the new Administrator account.
     Click "Change the account type"


      Change the Account Type from "Standard" user to an "Administrator User"



2.  Logout / Login to the new Administrator account:

a. Click Start, (Shutdown: submenu); "Log off"

b. Login as Administrator (note a new choice is available)
    This builds the Administrator's profile.



3.  Change the original (child's) account:

While logged in as the Administrator,

a.  Start, Search, "Control Panel",
     Open User Accounts,
     "Manage another account"

b.  Select the (future) non-admin account (your account, the child's account)

c. "Change the account type";
Set to Standard User.
Close and save changes.

In other words, demote yourself to a "loser" account.

d.  Logout as Admin.
Re-login as your normal account.

Results:
You will be running as a "Standard" (non-administrative, non-elevated account).  All programs will run normally, but updates and system changes require credentials.

Administrative credentials are now required before installing software or viruses and will always prompt for UAC permission.  If you have a UAC prompt (and it will now always ask for an account-name and password), hesitate -- decide if the install is safe or not.  Wise people will not tell the children or non-computer-literate parents the administrative password. 

Windows system updates will run as-before (and will install on their normal schedule with their normal system account).  Application installers will prompt for permission before updating.  This is a good thing. 

The Administrator account is also accessible here: 
From the Start Menu, click the People-icon.





On a closing note: Having a backdoor administrative account -- even if it is different than your own personal administrative account, is useful for cleaning simpler viruses which may have only infected the current user.  A backdoor account can help clean-up the mess.  This account is useful if the current user's account becomes corrupted.

-end

Related Articles:
Raspberry Pi-Hole - A DNS SinkHole for security

Windows 10 wakes from Sleep - Solution

How To: Windows 10 wakes from sleep.  Windows 10 computer wakes unexpectedly from Sleep.


Follow these recommended steps for stopping a computer from waking from Sleep or if the computer fails to go to sleep as expected.  These steps will stop many, but not all WAKE events.  This is a work-in-progress.

With the advanced steps, below, use with some caution and reservations, as noted. 

Requires local Administrative rights to the workstation.  Steps here include manual override, assuming you are using a non-adminstrative account.  Use these login steps, regardless.  See this keyliner article on why you should always run your computer with non-administrative rights: 
Link: https://keyliner.blogspot.com/2020/02/windows-10-administrative-accounts.html



Make all of these changes to fix Sleep problems:

1.  Launch Windows Device Manager as Administrator:

"Administrative rights" also known as "Elevated privileges", or "Elevated rights"

Notes: For non-administrative users, do not launch through Control Panel.

Assuming you are logged in as a non-administrative user, promote the Device Manager to run with elevated credentials.  This cannot be done from the Control Panel, and must be done directly with Device Manager.  (The Windows Control Panel is nothing more than a menu; running with Administrative rights offers no benefit.)


a.  From the Start Menu Search box, type

"C:\Windows\System32\Devmgmt.msc".

b.  From the search results, select "Run as administrator" (or right-mouse-click the found program and select "run as administrator.")

If prompted, type your credentials to login. 
If not prompted, your account already has admin rights.  Consider reviewing this article.)

Click for larger view


2.  Locate and expand "Network Adapters"

Click for larger view

a.  Click each found adapter.  If it has a "[Power Management]" tab,

     uncheck [ ] Allow this device to wake the computer.

b.  If the machine has both a wired and wireless adapter (many desktops and laptops do), make this change for each adapter.


Most of the (WAN and PNP) adapters will not have this setting

Disadvantage: On some corporate networks, this stops the network administrator from powering-up the machine for maintenance.

If the message:  "You are logged on as a standard user.  You can view device settings in Device Manager, but you must be logged on as an administrator to make changes."  See Step 1.


3.  In Device Manager, locate "Mice and other pointing devices."

Click for larger view
Examine each device. 
If a Power Management tab, uncheck "[ ] Allow this device to wake the computer."

Benefit:  A bumped desk will not wake the computer.
Minor drawback:  Press any keyboard-key to wake computer.


4.  In Task Scheduler, change how updates happen.

Using steps similar to step 1, search for, and launch "Task Scheduler" as an administrative user with elevated rights.

a.  On the tree side, expand "Task Scheduler Library"
b.  Expand "Microsoft", then "Windows"

c.  In the long list, locate "UpdateOrchestrator"
     In the detail list, Locate "Reboot"
     In the [Conditions] tab, uncheck "[ ] Wake the computer to run this task"



Minor Drawback:  Some updates may be delayed.  This is not an issue.  You will be prompted if a reboot is needed and a convenient time can be picked.

Other issue:  Other scheduled tasks in this same general area, discoverable in Step 6, are not editable with the Task Scheduler, even though they run from within Task Scheduler and changes are made with administrative rights.  See below for Advanced Disable Steps.


5.  If McAfee Virus Scanner is installed installed...

This reportedly wakes the PC often.

No specific steps listed here, but in general, use the Control Panel's "Programs and Features" to uninstall the program.  Uninstall for this, and other reasons.  Be aware McAfee's uninstall does a poor job uninstalling.   See their website for a more robust un-install tool, which does a better job uninstalling, but it still does it badly. 

I am similarly suspicious of Symantec, and Avast virus scanners for the same reasons.

I recommend using Microsoft's built-in scanner ("Defender"), which is better, with far-less overhead.  


6.   Other research

Expect more Wake events.  As they happen, use this step to diagnose which program is waking the PC.  This report can be checked well-past the actual event but be aware the report is lost at reboot.

a.  Following the procedure in Step 1, search for and launch "CMD"  (DOS Command prompt).  Launch with Administrative rights.

b.  From the DOS prompt, type this command: 

powercfg -lastwake

Click for larger view

Review the cryptic report.  This may give hints to other programs which may be running in the background, or which may be in the Windows Task Schedule.  Things such as Acronis Backup or other such programs may be there.  How to resolve these varies by each software publisher.

This report has a long memory, surviving the last event until the machine is rebooted.  Sadly, the report is not dated. 

My report detected the wake event documented above, in Step 4, which was subsequently fixed -- but the event remained in the report for several days.  Then, a few days later, the machine woke again.  The new report  showed:

Reason: Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Backup Scan'

This one is harder to fix and I have not been willing to do this: See below, under "Advanced Disable Steps.


7.  Other auto-startup programs may affect Wake events 

Programs in the Startup group, or in Services.msc, may or may not cause Sleep-Wake problems. 

This is documented here as an advanced subject.

a. Locate Startup Programs

Start Menu, Settings (the Gear icon), "Apps".  Select Left-Nav [Startup].

Programs in this area likely run unattended and "may" wake the PC at odd-hours.
Do not disable without researching consequences.

For example, on my computer I have disabled
* All Acronis Backup backend-processes, with the understanding I have to manually launch when needed.

* I disabled Intel Graphics Command Center; knowing I had access via the Control Panel and knowing I was using an external Video-card.

* Older computers may find Java updaters, and other vendor updaters.  I would disable them and run the updates manually.  Updaters are notorious for firing at odd times.


b.  Windows Services.msc

Windows also has (hundreds) of services which run in the background.

From the Start Menu, search, "Services.msc".  Launch with administrative rights.
Just because the service is running, this does not mean it wakes the PC from sleep.  Research before disabling services. Use care in this area. 

When disabling a service, set the service to "Manual" (manual startup), acting as a flag so you know which ones you have touched. With this said, there were no services which I identified as causing Sleep-wake problems.  I have disabled services for other reasons, not documented here.


Advanced Disable Steps
Even with the changes above, using Step 4's reporting, I found other values in the UpdateOrchestrator key where [ ] Wake was allowed to run. 

For example, the "Backup Scan" key is set to Wake, showing in the report like this:

Reason: Windows will execute 'NT TASK\Microsoft\Windows\UpdateOrchestrator\Backup Scan'

-- but even with Admin rights, Task Scheduler would not allow an update to this event's schedule  (prompting for credentials that did not work). 

Reviewing this task, it appears to trigger either Weekly or Monthly (note the Next Run Date).  This is not following the Scheduler's normal daily or weekly scheduled tasks!  I theorize: The Backup runs, then sets its own next schedule, only having one day in the schedule, and that day varies. 



UpdateOrchestrator's other events can be disabled - but the steps are nasty:
-----------------------------------------------------------------------------------------
(and not particularly recommended)

I am reluctant to disable the these tasks using these steps, not yet knowing the consequences.
If these steps are used, it disables the services -- there is not a way to simply turn off the [ ] Wake from Sleep setting.  However, it is safe to play with this idea as it is easily un-done.  DOS skills are required.)


1.  Create a folder, such as C:\data\downloads\Software\PSTools.
 
2.  Download PSExec (part of PSTools), from Microsoft (a .zip file).

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
 
3.  Open the .ZIP.  Highlight all files.  Select "Copy"
     Paste all files in the ...\Software\PSTools folder


4.  From an administrative DOS prompt:

C:

CD\data\downloads\software\pstools
psexec.exe /acceptEula

If the Eula is declined (or some other problem), search the web for PSexec's EULA registry key.  Set the key-value to = 1.  Apologies, I neglected to document this properly.



5.  From this article: 

https://pastebin.com/tDaQwQ9L

Download the illustrated batch file.
Save to ..\Software\PSTools  folder.
Rename the long batchfile name to a shorter name, such as "disableWakeTimers.bat"


Comments about the Batch file:
  • Windows 10 only
  • Must run DOS prompt as Administrator
  • Requires PSTools from Microsoft:  Download steps, above

The edited batch file can lock itself (unheard-of with Notepad and yet it seems to happen)! 

With any editing changes, use Notepad to make the changes.  Close and save.  Then, re-open the Notepad .bat file and confirm the changes were actually saved!  If changes are lost, close the DOS Window, Close Notepad.  Re-open both, and re-edit/save the file.  This appears to release a file-lock.

6.  Instead of letting the batch file stop a half-dozen services, consider editing the batch, commenting-out all changes except for the "Backup Scan."  This way, you can test the process, and test restoring the system to its original settings. 

Edit the batch file:  REMark all lines except "Backup Scan":

schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\Backup Scan"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\AC Power Download"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker"
Rem schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\AC Power Install"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Idle Start"
REM schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start"


This is the line that is allowed to run (larger font):

schtasks /change /disable /tn "\Microsoft\Windows\UpdateOrchestrator\Backup Scan"

where all are "REMarked" except "Backup Scan"
Close and Save the file.  Reopen in Notepad to confirm changes.


7.  Save the changes to the batch file. 
Close Notepad.  Re-open the batch file and confirm changes were accepted.  (I had problems with this during testing)
 

8.  From the same Administrative DOS prompt:

c:
CD\data\downloads\software\pstools
disableWakeTimers.bat


9.  Confirm the changes:

     Start "Task Scheduler" as Administrator  (From Start, search "Task Scheduler")
     Launch as administrator  (if not many keys are hidden)

     Tunnel to ....\Windows\UpdateOrchestartor
     Review the Backup Scan task.  It should be disabled.
         Note:  it is not "[  ] Allow Wake"; instead, the entire task is disabled!


To re-enable:
--------------------------------------------------------------
Close the DOS prompt
Close Notepad
Re-open Notepad
Change "/disable" to "/enable"
Save Batch file; re-open to confirm.
From an Administrative DOS prompt, re-run the batch file.
Confirm with an Administrative run of "Task Scheduler"; note next scheduled date...

If satisfied with testing, continue and disable all:
------------------------------------------------------------------
Close, etc., all.  Edit the file, removing all REMarks.
Re-run the batch file to disable all tasks.

This is a less-than ideal.  "schtasks" does not have a command option to [ ] Allow Wake.
This is a lot of work, and some danger, just to stop these services from waking.  I have not experimented with forcing a new "Monthly" schedule -- fearing it would run monthly (which means far-fewer Wakes, but I fear it would stack multiple schedules for its next run.

Microsoft's documentation for "schtasks" can be found here:
https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks


Comments are welcome.


Related articles:
Windows 10 Administrative Account - Everyone should do this
Frankenputer - Building a new Home PC - much fun

Friday, January 3, 2020

Logitech G513 Keyboard

Logitech G513 Keyboard

Keyliner's new Frankenputer, "Nancy," wanted a new keyboard. 

I have long been a fan of mechanical keyboards, but I have been using cheap plastic keyboards for the past several years.  They universally suck.  Some are better than others, but nothing beats a mechanical keyboard.

Even though I am not a gamer, Logitech won my business with the G513 Gaming Keyboard ($130). 



Keyboard Features:
  • Romer-G Tactile (mechanical) keys
  • Backlighted keys - surprised at how much I liked this
  • Individually controlled key colors:  See photos
     
  • Weight!  This is a heavy keyboard.  1,100g (2.5lbs)
  • "Aircraft-grade" 5052 Aluminum-magnesium alloy; black or silver.  Feels substantial.
     
  • USB Wired (not wireless); braided cable
  • Nice Palm-rest
  • Fully-programmable keyboard, with macros, etc.



Drawbacks:
  • Moderately expensive: $130. 
    Nobody really wants a twenty-dollar keyboard, but we tolerate them.  Mechanical keyboards are more expensive and always will be.  These are the rib-eye steaks in a hamburger world.
      
  • No Num-lock light (why not?)
     
  • Not as "clicky" as the IBM 3270 Cherry-switch keyboards or the GL915's GL switch; this is good and bad.  No doubt this keyboard is quieter.  (The GL915, besides being more expensive, has other features such as volume controls, wireless, dedicated macro keys, etc., that I did not want.)
     
  • When the keyboard is first plugged in, it has a wild, and undulating color scheme.  This is done purposely, making you want to download the software to stop this nonsense.  I suppose some kids would like the rainbow effect.  Amazingly, the keyboard will update its BIOS with the software download.  Soon, power cords will need a bios update.  From the Logitech site, download and install "Logitech G Hub".
The keyboard is fully programmable with macros and other features.  It seems complicated and  I have not yet bothered setting anything but the colors.  My understanding is all settings burn into the keyboard (I am now having doubts about this observation).  Once configured, the downloaded software is no longer needed.  There are tutorials on the website.


Full-Color, illustrated:
Although not evident in this picture, I set the home-row anchor-keys "F" and "J" to bright green, where the other alpha keys are a polite blue, making it easy to glance at the home row.   The number-row is red (orange in this picture; a white balance problem).  Page-up and down are yellow.  There was much fun setting these.




The software controlling this is weird and takes a few moments of fiddling to figure it out.  It also seems to be buggy because I can get it in a state where I might change the number-row, and other keys changed at the same time.  Actually, it is more accurate to say the software is irritating. Finding how to set an individual key's color is not obvious. Fiddling around, you can make this work.


Mechanical Switches

The keyboard's key actuators are why you have a preference for one keyboard over another.  Logitech has probably a dozen different actuators.  Cheap keyboards have a plastic-dome sheet that sits under the keys.  When a key is pressed, the dome collapses, making an electrical contact.  This is what most PC keyboards have. They are "mushy," have poor key-travel, with little tactile feedback.

With a mechanical switch, there is a metal spring (and other design features) that provide resistance. On key-press, it hesitates with more resistance.  A micro-second later, as the key is partially-pressed, it  reaches a breaking-point and accelerates to the electrical contact.  This gives the keys a satisfying click.  Your fingers can detect this and touch-typists appreciate the firmness.  The original IBM 3270 and PC-XT keyboards are classic examples of this design.


Logitech has three different mechanical switches, each with different feel, travel, and sound.  


 
I selected the G513 with a Romer-G "Tactile" switch  (which is different than the boring Romer-G-Linear switch), and not quite as good as the GL-switch. 

There are better mechanical switches on the market - with different tactile feedback and "clicky-ness."  The keyboard I wanted was the G915 with GL-Clicky switches, but $230 was out of my league.  Costs and sound-considerations come into play.

The G513 is not out for display at the local Best Buy Electronics store's keyboard isle.  Instead, they have a small shelf display where a sample of each is on display, one key each.  Tap them all you want and you will not be able to hear or feel the difference -- a single-key doesn't cut-it.  But the keyboard they have on display is the $250 model!  This reminds me of the Williams Sonoma technique of showing a $400 waffle maker, which they never expect to sell.  It makes the mid-priced ones look like a bargain.

But those Best Buy folks are helpful.  I asked a clerk if we could open an box and they happened to have one plugged into a computer along the back wall.  This gave me a chance to feel the keys in the wild.  This is why Best Buy gets my business.  Brick and mortar is worth supporting.  Plus, as of this writing, it was $20 cheaper, being on sale ($130).

Conclusion:

This new keyboard completes my new computer build.  Not only is the new computer fast, modern, and functional, it now feels better.  When nobody is looking, I sit in a darkened room and caress the keys. 


Keyliner previously reviewed the Microsoft Sculpt keyboard, which was well-liked but abandoned.  I type on too many non-sculpt keyboards, and my fingers were confused.  If all keyboards were this style, this would be a hands-down favorite.  If it used the Romer-G or the GL-Clicky actuators, it would be the best keyboard in the world.


Firewall Issues:
After a reboot, Windows Firewall asked for permission to allow LGHUB AGENT (the Logitech software that configures the keyboard).  I promptly denied, thinking the keyboard was already programmed.  Custom colors were lost and had to be re-set.  I am confused by this and some day will report back with more research. 

If you firewalled this like I did, Start, Run, Firewall.  Launch Windows Defender Firewall.  In the Inbound rules, locate LGHUB AGENT.  Select Properties.  Change to "Allow the connection if secure."  Re-program your colors.



Related links:
Unicomp Buckling Spring Keyboards - an IBM 3270 keyboard; a favorite that I have used for many years, using an honest-to-god Cherry-switch.  It is a loud keyboard, but glorious.  Sigh... the keyboard looks so dated, with no backlighting.  I wish they would call me for my industrial-design advice.  I want them to succeed.


Related articles:
Microsoft Sculpt Keyboard
Microsoft Sculpt Wireless Mouse Less Accurate

Keyliner's Newest Frankenputer:  "Nancy"