How to "lock down" Windows on a home PC
July 16, 2009 6:52 AM   Subscribe

I've been wondering if it is possible to apply the same solution to the never-ending problem of Windows corruption (and the resulting degraded performance) that data centers use. As I understand it, Windows is booted over the network, so what happens to the local hard drive does not matter. Is there a way of doing the same thing to a home PC? Can you make a hard drive "read-only" after putting a bootable Windows image on it, and then use a seperate hard drive for data storage? I really detest the solution that MS sponsors (virus protection/firewall software) because it is just another thing that you have to buy which supports it's business partners. Any other ideas?
posted by ackptui to Computers & Internet (7 answers total) 6 users marked this as a favorite
If you're referring to something like a computer lab at a library or university they'll usually use a product like Faronics Deep Freeze which will "roll back" the state of the hard drive each time the system is rebooted.

I've also had good luck by doing most of my work within "virtual machine" software like VMWare or Microsoft Virtual PC (and there are many others). Much of the corruption comes from installing and uninstalling applications, so if you make sure you're always installing to a virtual machine you greatly slow down the degradation. And VMWare at least has a "snapshot" feature that can roll back the virtual machine the same way Deep Freeze would. (Virtual PC and others may have this feature too, I just don't use them much.)

Another nice benefit of either of these approaches is that it will defeat almost any virus as well. (And viruses that could get out of a virtual machine are theoretical and haven't even been created in the lab yet, to my understanding.)
posted by XMLicious at 7:08 AM on July 16, 2009

Part of the problem is involved with installing software and constant additions to registry, background programs, and startup programs. Windows isn't designed to be read-only, you can't install many programs this way.

If you're any good at tweaking, you can trim the registry and startup list. I've managed to tweak five year old Windows installations enough to keep them running surprisingly well, while I've had to fix six month old installations which took a full minute to display the "start" menu after clicking the button.

Dealing with malicious software, that's what AVG, Malwarebytes, and Spybot are for. The free personal versions are pretty solid, and if you like it enough to pay, the premium versions have some handy functionality.
posted by Saydur at 7:13 AM on July 16, 2009 [1 favorite]

You can beat the typical virus or malware with this, but not the more insidious versions or rootkits since you have no way of knowing when the PC was compromised and therefore you could easily restore a compromised system.

A product that will do something similar to what you describe is Trueimage from Acronis. For $50 you can take multiple bootable images of your system and restore them to the same system (in event of corruption) or a new system (in event of hardware failure).
posted by anti social order at 7:40 AM on July 16, 2009

Saydur has it. Production environments figure out the way they want to do things and then do it that way for a while. Desktop users are constantly reconfiguring their systems---just adding a startup item needs a registry edit.

There are people who will partition their hard drives to put data, third-party executables, and the OS on three different partitions. That way any one of them can be reformatted and reinstalled without disturbing the others. I don't know how well the old program files work after you reinstall to a clean registry, though. Maybe they have a separate backup of their registries?

(Obligatory Linux plug here.)
posted by d. z. wang at 7:42 AM on July 16, 2009

Windows SteadyState is the free Microsoft solution for Windows XP and Vista that does this.
posted by paulsc at 7:49 AM on July 16, 2009 [1 favorite]

Another option is to use use accounts that are more limited. The account you create when you 1st set up your pc is usually a member of the Administrator group, and can get into a lot of trouble. It's possible to create accounts with fewer rights, that can get into less trouble.
posted by theora55 at 9:47 AM on July 16, 2009

Another approach a lot of enthusiasts use is to create unattended install scripts. Check out Unattended Windows at MSFN. Getting a complete from scratch to perfect working environment script going is really very time consuming, but it is quite easy to script up the install/configation of your favorite software using AutoIt (and, when available, the software's built in unattended install facilities). I install more than 20 applications in one double click.
posted by Chuckles at 10:11 AM on July 16, 2009

« Older Things to do near Birmingham New Street?   |   How much trouble am I in? Newer »
This thread is closed to new comments.