How to solve UEFI boot and startup problems

Resigned response: "I'll get used to it"

After downloading Firefox 34.0.0, Lounge member ldb wondered whether the browser’s search engine might be broken.

Posting in the Third-Party Browsers forum, he described the differences between his new and old versions of Firefox.

With a bit of help from fellow Lounge members, he gradually understood that the search engine wasn’t broken — it’s just different, as new versions frequently are.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Need efficient way to find stored images
Word Processing	Running different Office versions on various Windows versions
Spreadsheets	Excel formula based on color?
Databases	Record not updatable
Visual Basic for Apps	Compare and italicize
Microsoft Outlook	Sorting sent mail
Non-Outlook E-mail	Using rules in Thunderbird; can’t manage messages in one pass
Other MS Apps	Trouble with OneNote 2013 Screen Clipping tool
Windows
General Windows	Effect of Malwarebytes Anti-Exploit on browsers
Windows 8	Scanning photos
Windows 7	Black screen and instantaneous total shutdown
Windows Vista	How to connect Vista to Win8.1 printer and fix Excel error
Windows Servers	Reconfiguring Server 2008 in new location and getting Internet access
Internet/Connectivity
Internet Explorer	JavaScript required
Third-Party Browsers	Firefox 34.0.0 search function
Application Servers	Running Exchange 2007 command for multiple mailboxes
Networking	Force Windows to “forget” wireless network?
Other Technologies
Security & Scams	Blocking websites
Maintenance	Bitten by Malwarebytes
Hardware	Raspberry Pi
Graphics/Multimedia	Unable to download YouTube video
Other Applications	Thunderbird slowdown

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

A little bit of alarm for the holidays

In case holiday gift shopping isn’t scary enough for you, this week’s video records the reactions of innocent passersby to a crabby, suddenly animate, ornament. Scaring holiday shoppers and happy children is no way to spread Christmas cheer, but the snowman does get his comeuppance well before spring. Click below or go to the original YouTube video.

Devices for stronger Wi-Fi and data security

When a company makes seemingly outrageous claims about its new product, it’s a dare just begging to be tested.

So we took on a Wi-Fi extender touting a 10,000-square-foot signal range, an ultra-fast and light wireless scanner, and a portable hard drive boasting “the ultimate in data security.” For a bit of fun, we also looked at the new Amazon Fire TV Stick.

Amped Wireless TAP-EX goes the distance

When Amped Wireless stated that its new TAP-EX Wi-Fi range extender (U.S. $120; more info) can boost wireless signals up to 10,000 square feet, the immediate response was a highly skeptical “Really?” Most wireless extenders have significantly smaller coverage.

When I asked Amped Wireless how it achieved that feat, I received this reply:

“To be clear, the product is spec’d at 10,000 square feet. This is not 10,000 linear feet. And the true coverage is much more than that without any interference. However, we test and spec for real-life conditions, as no home is interference-free. Our testing is done here at our headquarters. There are multiple Wi-Fi devices, radios, walls, and other obstructions causing what we consider to be average-to-high interference. We test with both laptops and mobile devices as our clients. We use our own Amped routers; however, the spec of the TAP-EX is independent of the router’s range, of course.”

With that in mind, I ran my own test on the TAP-EX, using a Dell Win7 laptop, iPad Air, iPhone 5, HTC One Windows Phone, and Samsung Galaxy Tab 4. (Each device was tested separately from the others.)

Setting up the TAP-EX was extremely simple, thanks to the 3.4-inch, color touchscreen. The device includes a load of easily configured optional features — such as guest networks and connections for external storage drives — via the extender’s USB port. A pair of 10/100 Ethernet ports provided additional wired connections.

I started my range test by placing the extender in a second-story window of my apartment, facing the street. This scenario had few physical obstructions. The TAP-EX’s status screen indicated a strong, 100 percent connection with my home Wi-Fi router.

I then walked up the street, streaming various YouTube videos on my iPad Air. I managed a distance of about 1,500 feet before the connection sputtered out. As I continued the test, the iPhone 5 failed at about 300 feet — as did the HTC One Windows Phone and the Galaxy Tab 4. Streaming video on the Dell laptop hiccupped at just 150 feet, though I could refresh webpages and receive email somewhat further on.

The obvious lesson here is that Wi-Fi range will vary significantly, based on your mobile device’s antenna.

Next, I placed the extender on a desk in the front of my home and tested the various mobile devices in a notoriously Wi-Fi–unfriendly back room (thus evaluating the effects of common obstructions on wireless speed). In this case, the Dell had no problem playing streaming video — nor did any of the other devices. My Roku box produced cleaner video on my HD TV than it ever had when connected directly to the router. And my downstairs neighbor was delighted by the strong Wi-Fi signal broadcast throughout her apartment.

I doubt you’ll see 10,000 square feet of Wi-Fi coverage, but the TAP-EX does seem to provide a relatively solid boost for eliminating wireless dead zones — and I like its easy touchscreen setup and added ports for external USB and Ethernet devices. It might make a good alternative to powerline-based network adapters.

Fujitsu ScanSnap iX100 really is light and fast

Weighing in at just 14 ounces, the Fujitsu ScanSnap iX100 ($229; info) is about the size of a three-hole loose-leaf punch. Powered by a rechargeable lithium battery, the device produced a color scan of an 8.5-by-11-inch page in just over five seconds. It does seem to live up to its fast-and-light billing.

The ScanSnap iX100 is also impressively versatile, offering both Wi-Fi and USB connections plus a suite of useful utility apps. I loaded the scanner’s software on my Windows notebook, Android-based tablet, and Apple devices. It also supports the Amazon Kindle Fire. Placed in Direct Connect mode, the scanner can also set up wireless connections in the absence of a traditional Wi-Fi network.

Given the scanner’s small size, I initially doubted its ability to make clear digital copies of documents, especially when processing multiple documents at one time. But I was impressed with the results. I could feed it multiple receipts at the same time, and the software let me stitch together documents wider than the standard 8.5 inches. (You simply fold the oversized sheet in half and feed it through twice, once on each side.)

A simple menu in the ScanSnap software lets you quickly choose the destination of digitized information. You can even file scanned material to cloud services such as Dropbox, Google Docs, and SugarSync.

By default, documents are scanned at 300dpi, but you can go as high as 600dpi — or lower for receipts and other items that don’t require high resolution. Fujitsu claims a battery life of up to 260 continuously fed sheets; I didn’t test this, but the ratings for Fujitsu products I have tested were generally accurate.

A price of $229 seems a bit dear for such a small and seemingly simple device. However, you often pay more for portability, flexibility, and speed — all qualities nicely combined in the ScanSnap iX100.

DataLocker keeps your data safe — from everyone

Got secrets? This drive might be just what you’re looking for. As they say about Las Vegas, what goes into DataLocker’s DL3 FE portable hard drive (info) stays in the DataLocker. You don’t need any special software or drivers, but you will need a strong password and a supplied RFID tag to unlock its optional two-factor, military-grade, 256-bit encryption.

Offered in capacities ranging from 500GB to 2TB, this aluminum-housed, USB 3.0 drive measures 4.72 by 3.15 by .91 inches and weighs just nine ounces. But what sets it apart is its touchscreen display into which you enter a password and perform administrative functions. Passwords must contain at least eight characters and can comprise alpha, numeric, and special characters. For added protection from anyone peeping over your shoulder, the display regularly changes the order of letters, numbers, and characters displayed on the drives’ keypad (see Figure 4).

In fact, everything about the DataLocker suggests enhanced security. The drive can be digitally tied to specific PCs, and its optional two-factor authentication includes two radio-frequency identification (RFID) fobs. They’re tied to the drive the first time you bring them close to the drive’s case. The setup also has an auto-lock mode (Figure 5) that can be set to a specified number of minutes.

The unit supports two roles: the “administrator” can change the drive’s setting, including restricting the drive to read-only mode; “users” can only access data. The drive can even be set to a self-destruct mode to mitigate brute-force password hacking (assuming the hacker acquired one of the registered security fobs).

This is not the drive for storing family photos (unless, perhaps, your entire family works for one of those three-letter government agencies). The 500GB DL3 FE will set you back $420; add another $70 more for the 1TB model. But your sensitive data will be secure from theft, both at the office and when on the road. Just remember not to lose that password or the fobs. If you do, everything on the drive is toast.

Amazon goes head to head with Google Chromecast

Amazon’s just-released Fire TV Stick ($39; info) is an inexpensive alternative to Google’s Chromecast device. Attached to the HDMI port on your HD TV, you can stream Netflix, Hulu, Pandora, Spotify, and numerous other video services — including, of course, Amazon’s Prime Instant Video. Amazon boasts that its Fire TV Stick is “the most powerful streaming stick” offered. I haven’t played with Chromecast recently, but Amazon’s product is pretty cool. (Roku also offers its Streaming Stick; site.)

About the size of a large USB flash drive, it comes with a USB power cord and an AC wall adapter. Setup was fast and easy; I simply plugged the Stick into my TV’s HDMI port and used the included remote to enter my Wi-Fi network’s SSID info. After that, I was immediately up and running; the device comes preregistered to your existing Amazon account.

The Stick’s dual-core processor, 1GB of RAM, 8GB of storage, and dual built-in Wi-Fi antennas made for instant and fluid streaming.

If you’re playing video on an Amazon Fire tablet, you can mirror what you’re watching on a Fire TV Stick–attached TV. And with Amazon’s X-Ray feature, I was able to get IMDb movie info in a small inset screen on the TV or see lyrics for songs streaming from my Amazon library.

The included remote was surprisingly intuitive, and with an optional iOS app, I could even use voice commands instead of pushing buttons.

At $39, Amazon’s Fire TV Stick is only four bucks more than Google’s Chromecast. But then the Google product doesn’t come with a remote — you must use a smartphone, tablet, or PC. The Stick is one of those nice little stocking stuffers — cheap, fun, and easy to use.

How to solve UEFI boot and startup problems

Successor to the antiquated BIOS, the Unified Extensible Firmware Interface (UEFI) adds powerful security tools to post-XP systems.

Ironically, UEFI can also block important repair, recovery, and backup tools that boot from DVDs, CDs, or USB drives.

Windows 8’s tight integration with a PC’s UEFI can be especially problematic when you need to run bootable rescue media. This article will show how to fully master the UEFI boot system on Vista, Windows 7, and Windows 8 systems. At the end, you’ll have the benefits of UEFI security but also know how to bypass its drawbacks.

The many strengths — and weaknesses — of UEFI

From the start, all PCs have contained low-level, semipermanent software that wakes up a system’s components in the correct order and then hands off overall control to whatever operating system is installed.

In old systems, that software was the Basic Input/Output System, known to nearly all PC users as the BIOS. Commonly called “firmware,” the BIOS was specifically designed to be rarely, if ever, changed or updated. Its sole function was to initiate system startup.

As PCs became more powerful, the BIOS became effectively obsolete (more info). A more powerful and flexible replacement for the BIOS — UEFI — first appeared in PCs in 2005. It’s essentially ubiquitous in newer machines. In fact, it’s likely that the PC you’re using right now is UEFI-based.

Most early versions of UEFI, such as those found in Vista PCs, simply mimicked the limited capabilities of the classic BIOS. Then, a slightly more useful UEFI showed up in many machines sold with Win7. Users could, for example, access the UEFI settings while Windows was running; the UEFI could also access multi-terabyte hard drives and allow vendor-specific enhancements.

UEFI truly came into its own with Windows 8. The OS makes extensive use of UEFI capabilities, including security features such as rootkit protection that starts the moment the PC is turned on — long before the operating system or standard anti-malware tools load.

(For more information on UEFI technology, benefits, and use, see the resources list at the end of this article.)

The cost of UEFI security: UEFI can cause major problems. For example, UEFI can make it very hard to boot an alternate OS such as Linux from CDs, DVDs, or flash drives. It can even prevent you from running self-booting system-recovery/-repair tools or anti-malware apps that run outside of Windows — often, the only effective way to root out malware hiding deep within Windows.

Of course, this UEFI drawback typically shows up at the worst possible moment: after a major system crash or other significant PC emergency. Just when you really need to boot from a rescue disc or flash drive, UEFI might throw up a roadblock, preventing access to the tools you need.

To show you how to take control of your PC’s UEFI system, this article is divided into three major parts: a description of the problematic UEFI components, testing your PC’s UEFI implementation, and how to manage the UEFI.

Let’s get started!

UEFI components that might cause boot trouble

There are five elements of UEFI that can defeat your attempts to launch self-booting media. Later in the story, you’ll see how to adjust these items. But first, the following general descriptions will help you understand what the five elements do.

Note: Though Windows 8 can implement all five elements, Vista and Windows 7 systems use subsets of these components. It’s also important to know that each hardware vendor might enable or disable a different set of UEFI features — or call them by different names. I’ve used the most common names below.

Also, when discussing a “Win8 system,” I mean a PC that was designed to run Windows 8. The OS will run on older PCs, but an older UEFI probably won’t have all five components Win8 supports. The same holds for Vista and Win7 machines.

• UEFI/CSM Boot: Virtually all Win8 — and many Vista and Win7PCs — can boot with either the generic UEFI system (UEFI Boot) or a compatibility-support module (CSM Boot). CSM Boot emulates old-style BIOS actions for operating systems that require it. In some cases, CSM Boot must be specifically enabled before a PC will boot from a “foreign” operating system or from a device other than the hard drive. What’s more, to use CSM Boot, both UEFI Boot and Secure Boot (see next item) must be disabled.
• Secure Boot is a Win8-specific, UEFI implementation that prevents unauthorized or unrecognized operating systems from loading. For example, some classic Linux-based repair/recovery discs lack the required security certifications; they won’t boot if a PC is in Secure Boot mode. If you disable Secure Boot, the system reverts to the generic UEFI Boot.
• Fast Boot is a UEFI option that often varies by vendor and Windows version. In older systems with simpler UEFI implementations, Fast Boot saves a few seconds at startup by skipping several routine hardware checks.

  With Windows 8, Fast Boot significantly speeds the startup process by overriding and skipping many optional settings. For example, it always boots directly from the primary hard drive — no matter what other boot-order settings you might have set manually.

  Typically, Win8’s Fast Boot must be disabled if you want to boot from a standard optical drive, flash drive, network drive, etc. — essentially any source other than your primary hard drive.

• Trusted Boot is a UEFI module that checks the integrity of the startup software before allowing it to load. Trusted Boot is disabled when you select CSM boot.
• Early Launch Anti-Malware (ELAM) is a Win8-specific UEFI implementation that’s active when Secure Boot is enabled. Launching early in the initial boot process, ELAM scans all subsequently loaded system-level drivers to ensure they’re not carrying hostile payloads such as rootkits.

UEFI/CSM Boot, Secure Boot, and Fast Boot usually can be managed separately by end users; Trusted Boot and ELAM typically cannot.

A fully accurate test for UEFI boot problems

You obviously don’t want to discover UEFI-related boot problems while attempting to recover from a major system failure. It’s far better to test your UEFI settings now — well before an emergency.

The test is safe and simple, and it takes only minutes. You simply create a bootable CD, DVD, or flash drive and then try to boot your system from it.

Though any type of bootable media will do, it’s best to test the UEFI with the combination of media and recovery tool you’ll use if your PC encounters trouble.

For example, all versions of Windows feature a built-in tool to create a bootable repair/recovery disk or flash drive. (Every Windows user should have at least this type of emergency tool on hand.) But there are also many third-party repair/recovery tools available.

The April 10 Top Story, “Emergency repair disks for Windows: Part 1” lists nine different options for creating repair/recovery tools — most of them are free. (The title states “disks,” but the tools also can be used on flash drives.)

If you don’t already have a known-good emergency disk or drive available, take a few moments to check out the options listed in the above article. Next, create the bootable media of your choice.

XP, Vista, and Windows 7 users can test their emergency boot medium using techniques described in the April 17 Top Story, “Emergency repair disks for Windows: Part 2.” That article also describes how to work around the most common obstacles that can interfere with successfully booting from a repair/recovery tool.

If you can start your XP, Vista, or Win7 system correctly with the boot disk of your choice, great! You’re done!

If, on the other hand, you run into trouble, skip down to this article’s “Inside the UEFI management software” subsection for possible solutions.

Windows 8 users should continue to the next section below for instructions on testing their UEFI configuration — and to adjust its settings, if needed. (The Win8 information in the aforementioned “Emergency repair disks for Windows: Part 2” is now out of date, due to changes in the operating system itself. Also, many third-party, emergency repair/rescue tools now work with Win8.)

Steps for testing Window 8’s UEFI configuration

Preparation and first steps: As with any major change to your PC, start by saving all your work, closing all running apps, and backing up the system.

• Simplify your PC’s boot hardware as much as possible. Disconnect all potentially bootable external devices — except the one from which you intend to actually boot. For example, if you’re going to boot from a DVD, unplug any unneeded USB drives or flash devices currently connected to your system.
• Open the Charms bar, click the gear icon (Settings), and then click Change PC settings at the bottom of the bar.
• On the PC settings page, select Update and recovery.
• Click Recovery and then, under Advanced startup, click Restart now. (Despite the terminology, your PC will not immediately restart — that’s normal.) The Choose an option page will open.

If your PC has UEFI-compatible hardware, you’ll see a Use a device option (see Figure 1).

If your PC doesn’t show a Use a device option, don’t worry; just skip ahead to the section of this article labeled “The Advanced alternate booting option.”

The simple “Use a device” option: If it’s available to you, Win8’s Use a device options menu is the easiest way to try booting from alternate media or the network. It automatically makes temporary adjustments to the relevant UEFI settings (including Fast Boot and Boot Order) to allow booting from the device you select.

(Use a device won’t work if the hardware is incompatible with UEFI or the alternate OS is incompatible with Secure Boot.)

Unfortunately, there’s no way to know in advance whether all aspects of your system will work correctly with the Use a device setting — you simply have to try booting your PC with the selected device and see what happens. Here’s how:

• Click on Use a device.
• Click on the EFI (extensible firmware interface) device that you want to boot from: USB, DVD/CDROM, or network.
  

  Figure 2. Select the UEFI-compatible boot device you wish to try — in this example, I've selected a DVD/CD drive.

• Click the Reboot button when it’s offered; your PC will shut down and then try to boot from whatever device you selected.
• Follow the instructions for whatever prompt then appears. For example, if you’re booting from an optical drive, you should press a key when the Press any key to boot from DVD or CD ROM prompt appears.

Note: If you have trouble booting from a USB-based drive, use a USB 2.0 port (typically denoted by a white or gray connector) if possible. I’ve found USB 2.0 to be more reliable than USB 3.0 (blue connector) in boot operations.

If your system boots from your recovery media, you’re done! Your hardware, media, and software are all UEFI-boot compatible — as they are.

If the boot process fails, you’ll likely get a rather generic error message. For example, if I try to boot my system from a DVD containing a Linux distribution that’s not compatible with Secure Boot, I get the error message: “System doesn’t have any CD/DVD boot option.” It does have that option, of course — the drive was selected in Use a device — but that option is incompatible with Secure Boot.

No matter what error message you receive, if your PC fails to boot via the Use a device option, just bail; reboot normally back to Windows, work your way back to the Choose an option screen, and follow the steps below.

The Advanced alternate booting option: If Use a device isn’t available or fails, your next stop is the Advanced alternate booting option, available under the Troubleshooting menu.

On the Choose an option screen, click Troubleshoot and then Advanced options (Figures 3 and 4).

If a UEFI Firmware Settings option (Figure 5) appears, select it. Note: This option might also be under a somewhat different label, such as Change UEFI Settings.

If no such option exists, skip down to the section below labeled “If there’s trouble — or no UEFI menu at all.”

On the UEFI Firmware Settings screen, select Restart (Figure 6). Your PC will restart and automatically run its built-in UEFI management software.

Working inside the UEFI management software

UEFI setting pages often look much like classic BIOS screens — and typically work in much the same way. Follow the on-screen directions for navigating to the settings you’re going to change. Next, make the following changes.

On Windows 8 systems, start by disabling Secure Boot. The setting is typically found under Security (see Figure 7), Boot, Authentication, or some similar heading.

Next, on Vista, Win7, and Win8 systems that offer it, disable Fast Boot (Figure 8), commonly found under a Boot Speed option. On my system, Boot Speed is under the Advanced heading.

On Win8 and most Win7 and Vista PCs, set the Boot Mode to CSM (Compatibility Support Module). Again, CSM makes your PC behave as if it had the old-school BIOS required by some software.

On my system, this requires three clicks: one to access the Advanced/System Configuration menu (Figure 9), a second to access the Boot Mode settings, and a third to change to CSM Boot (Figure 10).

Your PC’s labeling might differ from mine, but the idea is the same: deselect UEFI boot and switch to a traditional BIOS-style CSM boot option.

Now set the boot order; you want your PC to first try the device you selected, upon restart. UEFI boot-order settings are usually under the Boot section (or something similar).

For example, if you want to boot from a DVD/CD drive, change the PC’s boot order so that the optical drive is at the top of the list. Your options will likely look somewhat similar to those shown in Figure 11.

When you’re done, save your settings and exit (typically by pressing the F10 key).

Your system will now restart, using a traditional BIOS-type (CSM) boot process. It’ll bypass Secure Boot, skip the Fast Boot shortcuts, and attempt to use whatever device you selected as the first boot device.

If there’s trouble — or no UEFI menu at all

If you know your system has a UEFI, but you can’t find or access its settings, almost all systems offer the alternate, old-school trick of pressing a specific function key during initial boot or using special OEM software. However, whenever possible, it’s best — and safest — to use the menu-access methods described above. It will ensure that Windows and the UEFI system remain in sync.

If you’ve tried everything in this article and still can’t properly control UEFI booting, visit your PC vendor’s online support site and search for instructions specific to your brand and model of PC.

Wrapping up, plus sources of more information

When you’ve successfully booted your system from your emergency repair/recovery tool, make note of any unusual steps you had to take. Store that information with your emergency boot media (DVD/CD, flash drive, whatever), and put both in a safe place. A bit of preparation now could prevent a lot of headaches later — if or when it all hits the fan!

As a last step, undo the changes you made to your UEFI settings, restoring them to their original configuration.

That’s it! You’re done. You can now have the comfort of UEFI’s benefits for routine operation, plus the confidence that you can bypass the UEFI when needed.

For more information on UEFI, boot issues, Win8’s Secure Boot, and related features, see the following sources:

• “Say goodbye to BIOS — and hello to UEFI!” – Jan. 19, 2012, Top Story
• “What is UEFI?” – Microsoft Windows help
• “Unified Extensible Firmware Interface Forum” – UEFI consortium site
• “Boot to UEFI mode or legacy BIOS mode” – MS TechNet article
• “Unified Extensible Firmware Interface” – Wikipedia article
• “Secure Boot” – MS TechNet article
• “Secure Boot overview” – TechNet article
• “Securing the Windows 8 boot process” – TechNet article
• “Windows 8 boot security FAQ” – TechNet article
• “Secure boot feature signing requirements for kernel-mode drivers” – MSDN article
• “Early launch anti-malware” – MSDN article

Controlling Win8's auto-synching of settings

Windows 8’s cloud storage of personalized system settings can lead to unexpected changes. Here’s how to control what’s saved and what’s restored.

Plus: Curing ‘disc not recognized’ errors on CD/DVD drives, why VeraCrypt won’t work with Win8, and salvaging an XP system after a disastrous error.

Win8’s personalization shows up in Win10

Reader Jim Wills runs both Windows 8 and Windows 10 Technical Preview in virtual machines on a Mac. He was very surprised to see that custom settings for one Windows OS almost immediately showed up on the other, unbidden.

Automatic synching of personalization and customization settings across systems is a standard Windows 8 feature — and it’s also part of Win10 Preview. (The fact that the virtual machines were running on a Mac is irrelevant.)

As you might expect, the newest versions of Windows include tools for controlling what’s saved, synched, and restored.

• “I run Windows 8.1 and the Windows 10 Technical Preview in separate VMware Fusion sessions on a new iMac. It works well for me. The iMac has enough computing power to run both VM sessions simultaneously.

  “I thought it would be wise to change the desktop background on one version of Windows so I could quickly recognize which I was using. But that didn’t work; a few seconds later, both the background and the rest of the set theme were replicated on the other Windows system.

  “So, I have to look at the title bar to know which system I am using. That’s not a problem. But here’s the question: Besides the theme, what else is being shared?”

By default, Windows 8 automatically stores seven types of personalization/customization settings in your OneDrive account. So far, Win10 Preview does the same thing. (Win10 is not even in beta at this time — many aspects of the OS can and will change.)

Those settings include the following: your Start screen layout, chosen colors, themes, language preferences, browser history, browser favorites, and the settings for any apps you obtained from the Windows Store.

The settings are synched in the cloud via OneDrive, through which your various Windows systems can then share the same look and feel. You get a familiar environment, no matter what PC you’re using. Signing in to any Win8/10 system with your Microsoft credentials will automatically download and apply your cloud-stored personalization/customization settings to the PC you’re working on.

Because OneDrive is built into Win8/10, signing in to your MS account will also give immediate access to your OneDrive files and Metro-based services/apps — such as Facebook, Flickr, and so forth — that are linked with your MS account.

This automatic synching behavior can be handy; it can also be alarming if you’re not expecting it — it can appear as though your system were making changes on its own!

It’s also peculiar if, like Jim, you have two or more Win8/10 sessions running side by side — changes you make on one setup will visually ripple across to the other in near-real time.

And as Jim noted, it can be problematic if you want two or more Win8/10 setups to remain visually distinct.

Fortunately, this synching can be controlled or disabled. You can even delete all your personalization/customization data from the cloud if you so desire.

Microsoft’s how-to page, “Sync settings between PCs with OneDrive,” has the necessary details. Scroll down the page to find information on how to choose which settings to sync or how to stop synching.

If you encounter errors in synching, try running the automated Microsoft Accounts troubleshooter (download).

To completely delete your personal settings from the OneDrive cloud servers, see this online OneDrive help page (sign-in required).

Fixing a CD/DVD ‘disc not recognized’ error

Mary Flink has an older system whose optical drive is acting up.

• “When I try to make a backup on my old CD writer, I first get the green light indicating that the disc is inserted. But then the green light immediately turns to a flashing orange light and the following error prompt comes on screen:

  ‘CD backup error, Drive is empty. Enter valid disc into Drive D.’

  “What do you think is going on, and what can I do to correct it?”

When a blank optical disc is improperly detected, the problem usually relates to one of these issues:

The disc may be the wrong type. Although many of today’s burners support multiple disc standards, there are still many older models that are standard-specific. For example, a drive that works with DVD/CD +R discs might choke on DVD/CD -R media — or vice-versa. A DVD burner might choke on Blu-Ray discs. Make sure the blanks you bought are the correct type for your drive. For a quick refresher on CD/DVD disc types and names, see a CDBurnerXP page.

The blank disk is damaged or not clean. An errant fingerprint, smudge, scuff, or scratch can prevent a disc from being properly detected and/or written to.

The drive’s optics might need cleaning. CD/DVD drives use a small laser to read and write data. That laser’s lens can become obscured by dust or clouded by accumulated grime. (A PC’s fans constantly draw in room air; some of that air might enter the case via the optical drive.)

You might be able to restore normal operation by cleaning the inside of the drive. Start by turning the PC off and manually opening the drive bay. (Most drives with retractable disc trays have a tiny hole in the front panel. You can open the drive by carefully pushing a straightened paperclip into the hole.) Next, blow a stream of clean, dry air inside the drive. You can try lung power, but it’s better to use a can of compressed air, available for a couple of bucks at most electronics retailers.

If that doesn’t work, with the PC off and the optical drive open, use a barely-damp microfiber cloth (or, in a pinch, a cotton swab) to gently clean the laser lens. Plain water or isopropyl alcohol (rubbing alcohol) is best; don’t use soapy water, Windex, or similar liquids that might leave any sort of residue on the lens.

Some drives, typically those in laptops, place the laser-lens assembly in the drawer itself, as shown in Figure 1. These drives are especially easy to clean.

Other drives keep the lens out of easy reach. You’ll have to remove the drive from the PC and carefully open the top of the drive’s case. It’s not hard to do and usually requires nothing more complex than a screwdriver.

Note: Many electronics stores sell drive-cleaning kits that typically include cleaning fluid and an absorbent mat that’s the size and shape of a CD. To clean the drive, you moisten the mat and play it like a CD. As it spins, it wipes the lens clean.

I don’t recommend these kits. Their cleaning process can be rougher and less controlled than the manual method. (If the drive’s lens gets scratched by overzealous cleaning, there’s no remedy — the drive is permanently ruined.)

If you need more help, Howcast’s “How to clean an optical disc player” page contains a video and step-by-step, text-based instructions on the correct, manual way to clean a drive.

Why VeraCrypt won’t work with Windows 8

John Wells was one of several readers who had questions after reading the Nov. 20 LangaList Plus item, “VeraCrypt: A superior alternative to TrueCrypt?”

• “Hello, Fred! Thanks very much for the pointer to VeraCrypt. I’ve been using TrueCrypt for many years and have been waiting for a replacement since the TrueCrypt project was terminated.

  “But please explain why a VeraCrypt-encrypted container (not whole-drive encryption) is incompatible with the future direction of Windows.”

The short answer is that VeraCrypt (and, so far, all similar products) causes part of the Win8 backup and recovery system to fail.

(Win10 Preview uses the same system, so it appears that this incompatibility isn’t going to go away.)

Specifically, recall that Windows 8 uses a three-part system for backups: File History provides local file and folder backups, OneDrive provides off-site (cloud-based) backups, and Recovery Images lets you restore a PC from the ground up.

(An upcoming Top Story will cover Win8’s three-part backups in depth. In the meantime, see the July 11, 2013, Top Story, “Understanding Windows 8’s File History”; the Oct. 10, 2013, Top Story, “Creating customized recovery images for Win8”; and Microsoft’s OneDrive support page.)

If you use products — such as TrueCrypt, VeraCrypt, or BoxCryptor — that create “containers” with assigned drive letters, you then won’t be able to make or restore Win8 custom-recovery images by normal methods. The process simply fails.

Sometimes, it’s possible to effect a kludgy workaround by unmounting the container and exiting or even uninstalling the app that created the container. With the controlling app totally inert and the container unmounted, you then might be able to create a Custom Refresh Image.

But what a pain.

In contrast, high-quality file/folder encryption works perfectly with Custom Recovery images. For example, 7-Zip (free; site) includes a 256-bit AES encryption option. No hoop-jumping required.

Of course, if you don’t care about using Custom Recovery Images or you use a third-party imaging app, programs such as VeraCrypt might work if you create file-based containers. However, there’s still the problem of whole-disk encryption. It won’t work with Win8’s UEFI Secure Boot or on non-NTFS disks (e.g., GPT; info). At this time, I know of no workarounds for either problem.

To me, there’s not much point in implementing an encryption system that has incompatibilities with Win8’s built-in backup systems — and that likely won’t work with future Windows versions.

File and folder encryption, as provided by products such as 7-Zip, works perfectly with all current — and most likely future — versions of Windows. 7-Zip can provide the same level of protection as VeraCrypt and similar apps, and it’s free. What’s not to like?

XP system dies painfully, won’t restore

Lucien Baltuch is trying to keep an ancient XP system alive, but he ran into major trouble.

• “Dear Mr. Langa, I would be most grateful if you’d agree to help.

  “It’s about rebuilding a Windows XP setup that turned bad. I lost a lot of critical files.

  “I was charmed by your [July 14, 2011, Top Story], ‘Win7’s no-reformat, nondestructive reinstall,’ which referenced the earlier article, ‘XP’s no-reformat, nondestructive total-rebuild option.’

  “I decided to try it without backing up anything. Very wrong to do, but that’s what I did.

  “I followed your instructions as much as possible, but along the way I had error messages. At one point, I was asked for the file iastore.sys from Intel Matrix Storage Manager driver. I didn’t have that.

  “After that I got an error message: ‘ngen.exe, Entry point not found’; then, right after that, ‘.net framework Initialization error’; and, finally, ‘setup.exe, Application error.’

  “At the end, my system would try to start, get to the Dell logo, and then reboot again and again — endlessly.

  “Can you help? Is there hope for my system?”

Sorry you had trouble, Lucien. This is a tough one: you’re working on a 13-year-old, unsupported operating system with no backups.

As a first step, I suggest you try to recover whatever remaining user files you can from the dead system. Because your XP system won’t boot, you’ll need to use a self-contained backup tool, one that boots from a CD or DVD drive.

Using a friend’s borrowed PC, you can download and burn a self-booting backup disc. There are many to choose from; for example, Macrium Reflect (free/commercial; site) or Bacula (free; site). Using the self-booting disc on the XP machine, make an image copy of your damaged system. Save the image file to an external drive or on a network drive, or burn it onto CDs or DVDs.

Alternatively, you can physically remove your PC’s hard drive, attach it to a friend’s PC, and make an image backup there. (You might want to use a drive-connector kit. See the Feb. 13, 2013, Top Story and the March 7, 2013, LangaList Plus column.)

With a full backup, you’re ready to proceed with fixes. Start by trying to get past the error messages you received. The first serious problem you reported was a missing or corrupted Intel Matrix Storage Manager. Your PC needs that file for its hard drive to work properly.

It’s possible that one fundamental error with the Storage Manager was the cause of all the successive errors. If the XP setup program can’t access or write to the hard drive properly, nothing’s going to work correctly!

Try getting the correct Storage Manager for your system. Again, using a borrowed PC, I suggest visiting your PC maker’s site to find and download the Intel Matrix Storage Manager version specific to your model PC. (You said you’re using a Dell; a Dell Support driver page still lists some XP-compatible versions of the Intel Matrix Storage Manager.)

Download the file and store it on a CD or floppy disc. Run the XP setup again on your PC; when it requests the Intel Matrix Storage Manager file, point Windows to the CD or floppy disc.

With luck, having a working Storage Manager will also cure the subsequent problems you report.

When your system’s working again, access the backup you made and try restoring whatever files survived the original, failed rebuild.

With XP booting normally and your surviving files back in place, make a fresh, full backup! You won’t have to deal with lost files again.

Good luck!

Wrapping up a somewhat troubling year of updates

We close 2014 with 85 official Microsoft security bulletins; keeping Windows updated wasn’t always easy.

It was a year of numerous botched updates, including the now infamous patch that drove us to Windows 8.1 Update.

A year notable for Windows-patching missteps

Microsoft started off 2014 by hanging an “Under new management” sign in its window. That was rapidly followed by major changes to the beleaguered Windows 8 and the eventual announcement of Windows 10. The year also proved a difficult time for updating Windows and keeping it secure. Was that a mere coincidence?

For many Windows users, this year’s slew of patching issues started in April, with the official end of support for the venerable XP — the operating system that refused to die. For me, it started with the April release of KB 2919355, aka Windows 8.1 Update.

Microsoft’s mistake wasn’t so much the patch itself but the requirement that all Windows 8.1 users apply it by May 13 — just one month after the update’s release. Microsoft used a big stick to enforce this change: without KB 2919355, Win8.1 users would get no more security patches.

The blowback was immediate. One month was simply too fast for many businesses, and a significant number of individual Win8.1 users couldn’t get the update installed. Eventually, Microsoft backed off its mandate, extending the deadline to June for consumers and August for businesses. Even so, I know of users who are still running into problems with KB 2919355.

The main cause of the update’s failures appears to be excessively effective antivirus software, which corrupts critical software components. To mitigate this problem, the current version of KB 2919355 runs a utility called “clearcompressionFlag,” which ensures that the system can accept the patch. (Again, without KB 2919355, Win8.1 users will not receive security updates.)

One silver lining for the end of XP support was more reliable .NET Framework updates. Too often, patches to Microsoft’s application platform proved troublesome — typically on XP systems. In some cases, the updates failed so spectacularly, users were forced to rip out all installed versions of .NET, usually with help from Aaron Stebner’s famous .NET Framework Cleanup Tool (site). Users then had to reinstall all needed versions of .NET, one by one.

Unfortunately, the focus of troublesome updates shifted from .NET to Windows kernel-mode drivers. In most cases, kernel-update failures were — and still are — caused by incompatibilities with anti-malware apps, which place hooks deep into Windows. (The Windows kernel is essentially the central core of the operating system.)

Successfully installing kernel updates might require disabling or upgrading installed AV apps. Obviously, giving AV products some time to adapt to kernel changes is the better option — and it’s why I typically recommend delaying kernel updates for a couple of weeks.

The latter part of 2014 also saw more than the usual number of recalled and/or replaced updates. One wonders whether Windows has become too complicated, or perhaps Microsoft is having difficulty keeping up with new vulnerabilities, or the company’s focus has shifted heavily to Windows 10 — or all of the above.

Anyone trying Windows 10 should expect problems with updates. The next version of Windows isn’t even in beta and is bound to have teething pains. For example, KB 3022827 is the December Internet Explorer cumulative security update for Windows 10 Technical Preview. Apparently, a few Win10 Preview users could install the update only if they first uninstalled Office. For more on this topic, check out the related tweets by Windows Insiders’ Gabriel Aul.

What to do: Stay tuned to Patch Watch through 2015 for the latest on Microsoft updates. And let’s hope that next year proves smoother than 2014.

MS14-080 (3008923)

Reviewing updates for the usual suspects

As usual, we start with browsers. I have four installed: Chrome, Firefox, IE, and Opera. KB 3008923 is December’s cumulative IE security update. It fixes 14 privately reported vulnerabilities and is rated critical on all workstations. (It’s rated moderate on servers.)

For IE 11, this update also includes a feature that will allow SSL 3.0 fallback warnings. Reportedly, on Feb. 10, 2015, Microsoft will make some related changes to IE 11’s default settings. This update is simply preparation for those changes. (I’ll discuss those changes in a future Patch Watch.)

Chrome users should be on version 39.0.2171.95, which includes the most recent built-in Flash Player update. Firefox is up to version 34.0.5, and Opera is on version 26.

Next, check any other installations of Adobe Flash. As noted in the Dec. 9 Adobe Security bulletin, you should be on Flash Player 16.0.0.235. (Use the Adobe Flash Player page to check the version you’re currently running.)

What to do: Install KB 3008923 (MS14-080) as soon as possible, run all other browsers to ensure they’re up to date, and watch out for unwanted software offers when manually updating Flash.

MS14-081, MS14-082, MS14-083

Google’s Project Zero targets Word and Excel

Google’s Project Zero is an elite group of digital bug hunters, as reported in a Wire story. As acknowledged in MS Security Bulletin MS14-081, the Project Zero team reported numerous vulnerabilities in Word, Excel, and other Office components. In all, the updates in MS14-081, MS14-082, and MS14-083 tackle five Office and SharePoint vulnerabilities.

Note: If you’ve upgraded Office, you might see patches for both Office 2007 and 2010.

MS14-081 includes the following updates, all rated critical:

• 2920793 – Office 2007 SP3 (Word)
• 2899518 – Office 2010 SP2
• 2899519 – Office 2010 SP2 (Word)
• 2910916 – Office 2013 and Office 2013 SP1 (Word)
• 3018888 – Office for Mac 2011
• 2920729 – MS Word Viewer
• 2920792 – Office Compatibility Pack SP3
• 2899581 – SharePoint 2010 SP2
• 2883050 – SharePoint Server 2013 and Server 2013 SP1
• 2910892 – Office Web Apps 2010 SP2
• 2889851 – Office Web Apps 2013 and Web Apps 2013 SP1

MS14-082 includes the following updates, all rated important:

• 2596927 – Office 2007 SP3
• 2553154 – Office 2010 SP2
• 2726958 – Office 2013 and Office 2013 SP1

MS14-083 includes the following updates, all rated important:

• 2984942 – Office 2007 SP3 (Excel)
• 2910902 – Excel 2010 SP2 (Excel)
• 2910929 – Office 2013 and Office 2013 SP1 (Excel)
• 2920790 – Office Compatibility Pack 3

What to do: There are currently no reports of active attacks using these vulnerabilities. Nevertheless, I recommend installing any of the offered updates in MS14-081 and MS14-083 as soon as possible.

UPDATE: There are reports of problems with one or more of the patches in MS14-082. As noted in Stack Overflow posts, the updates break some Excel spreadsheets with embedded ActiveX controls. The status for this update has been changed to hold.

MS14-084 (3016711)

VBScript flaw impacts Internet Explorer

Internet Explorer 8 users are vulnerable to a privately reported VBScript scripting-engine vulnerability that could let an attacker take over PCs. The exploit uses malicious websites. KB 3012176 is critical for Vista and Windows 7 systems and is rated moderate for Windows Server 2003 and 2008/2008 R2. For IE 9 and higher, the fix was rolled into KB 3008923 (MS14-080).

What to do: There are no reported attacks at this time, but it’s expected there will be soon. Install KB 3016711 (MS14-084) when offered.

MS14-085 (3013126)

Malicious JPEGs could lead to data disclosures

KB 3013126 fixes a publicly reported vulnerability in Windows’ Graphic Component. Using bogus JPEG images, a hacker could acquire information about your PC. That information could then be combined with other exploits for more serious attacks. The update is rated important for all currently supported versions of Windows and Windows Server.

Here again, there are no reports of attacks using this vulnerability, but they could appear soon.

What to do: Install KB 3013126 (MS14-085) when offered.

MS14-065 (3003057), MS14-066 (2992611)

Microsoft reissues two November patches

KB 3003057 was the November cumulative update for Internet Explorer. The patch now needs to be installed again on PCs running IE 10 or any machines running IE 8 on either Windows 7 or Server 2008.

KB 2992611 was an update to fix a flaw in the Windows Secure Channel security package. On Dec. 9, Microsoft issued a do-over for Vista and Windows Server 2008 systems.

What to do: Install KB 3003057 (MS14-065) and/or KB 2992611 (MS14-066) if offered.

MS14-075 (2986475, 2996150, 3011140)

Delayed Exchange update finally arrives

As I reported last month, an expected November update for MS Exchange Server never made it out of Microsoft’s quality-control department. It finally showed up among December’s Patch Tuesday releases. Rated important, the update fixed four reported Exchange vulnerabilities. In one exploit, attackers could gain more rights to PCs when users click URLs that go to malicious Outlook Web App sites.

As noted in an Exchange Team blog post, the update for Exchange 2013 includes improvements that should make migrating to that version easier.

Note: A just-added notice in the aforementioned blog post states that flaws were found in KB 2986475 — Exchange Server 2010 SP3 Rollup 8. The update has been recalled.

A friendly reminder to Exchange admins: Back up your systems before applying updates, and ensure you’re aware of the Active Directory schema updates (more info) included in Exchange 2013 CU7.

What to do: Install KB 2996150 or KB 3011140 (MS14-075) after testing.

Flawed nonsecurity update for Root Certificates

This month’s batch of nonsecurity updates for Windows and Office is typical — weighty, especially for Windows 8 and Office 2013. But the number of fixes for Windows 7 and Office 2010 is a bit larger than usual.

So far, the first nonsecurity patch to go down in flames is KB 3004394, an update to the Windows Root Certificate Program. As noted in an MS Community thread, after installing the update, Windows 7 users are running into problems with starting Windows Defender, unexpected UAC prompts, Window update failures, and other issues. Apparently, the update is also causing issues with Windows Server 2008.

Be sure to skip this update until further notice.

For more information on the latest Office updates, see MS Office Sustained Engineering list. That list also includes numerous SharePoint Server updates.

Windows 7/Server 2008 R2

• 2952664 – Compatibility update for upgrading Win7
• 2977759 – Compatibility update for Win7 RTM
• 3006121 – Private EDUCs not displayed in Character Map after applying KB 2982791
• 3006625 – Domain controller freezes with long event subscription manager lists
• 3009736 – MP4 file compatibility issues with non-Windows–based devices
• 3014406 – Startup delays after disabling IPv6 in Win7 SP1 and Server 2008 R2 SP1
• 3015428 – Can’t upgrade to Win7 SP1 when not connected to AC power

Windows 8 and 8.1

• 2976978 – Compatibility update
• 2989930 – Surface Pro 3: pen “not connected” in Bluetooth settings
• 2994290 – November Language Interface Pack
• 3008242 – System won’t enter Connected Standby after installing KB 2996799
• 3012199 – Servicing-stack update (also Server 2012 R2)
• 3013410 – Cumulative time-zone update
• 3013767 – Rollup for Windows RT, Windows 8, and Server 2012
• 3013816 – System Center Mobile Device Manager update
• 3021128 – Office 365 Click-to-Install fails

Office 2007/2010

• 2553140 – Office 2010: User interface enhancements
• 2589348 – Excel 2010: Document Inspector
• 2597088 – OneNote 2010: Improved localization
• 2597089 – Office 2010: Document Inspector
• 2880517 – PowerPoint 2010: Document Inspector
• 2883019 – Office 2010: MAK key crashes
• 2889818 – Outlook 2010: Spell-checker fix, iCloud Internet Calendar crashes
• 2910896 – Office 2010: Improved proofing tools in English, Russian, and Spanish
• 2910899 – Outlook 2010: Junk-mail filter
• 2920789 – Outlook 2007: Junk-mail filter

Office 2013

• 2889938 – Office: Improved Customer Experience Improvement Program logs
• 2889858 – Office: Improved Customer Experience Improvement Program logs
• 2899498 – Excel: Various fixes
• 2899501 – Outlook: Thai characters in subject line
• 2899502 – OneNote 2013: Improved Customer Experience Improvement Program logs
• 2899505 – Excel: Various fixes
• 2899509 – Excel: Pivot
• 2899522 – Office: New graphics drivers to prevent crashes
• 2910907 – PowerPoint: Various fixes
• 2910922 – Office: Improved proofing tools in English, Russian, and Spanish
• 2910926 – Outlook: Junk-mail filter
• 2910931 – Office: Accessing SharePoint 2013 farm through ADFS
• 2920734 – Office: OneDrive for Business sign-ins and other fixes

Other updates

• 2910913 – Visio 2013
• 2910927 – Lync 2013: Various fixes
• 2910935 – OneDrive for Business

What to do: If KB 3004394 is in your Windows Update, hide it; it’s been recalled and will probably be reissued. Put all other nonsecurity updates on hold until the end of the month. I’ll report any issues in the Windows Secrets Lounge. (Use the link at the bottom of this column.)

Regularly updated problem-patch chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about a month after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page. See our “Windows Secrets master Patch Watch chart” post for a more extensive list of recent updates.

Patch	Released	Description	Status
2977292	10-14	EAP security advisory	Optional
3003743	11-11	RDP access logging; possible connection issues	Optional
2899526	11-11	Office 2007; also KBs 2899527 and 2899553	Install
2982998	11-11	Internet Information Services on Win8 and Server 2012	Install
2989935	11-11	TCP/IP; Windows Server 2003 systems	Install
2992611	11-11	Server cipher suites; reissued, install again	Install
2992719	11-11	Japanese Input Method Editor	Install
2993958	11-11	MSXML Core Services	Install
3000431	11-11	SharePoint 2010	Install
3002885	11-11	Kernel-mode driver; denial-of-service attacks	Install
3003057	11-11	IE monthly rollup	Install
3003381	11-11	Active Directory Federation Services	Install
3005210	11-11	.NET Framework; see MS14-072 for full list	Install
3005607	11-11	Windows Audio service	Install
3006226	11-11	OLE zero-day; also KB 3010788	Install
3011780	11-18	Kerberos	Install
3009712	12-09	MS Exchange Server; KBs 2996150 and 3011140 only (KB 2986475 recalled)	Install
3008923	12-09	IE cumulative update	Install
3013126	12-09	MS Graphics Component	Install
3016711	12-09	VBScript; KBs 3012168, 3012172, and 3012176	Install
3017301	12-09	MS Word and Office Web Apps; see MS14-081 for full list	Install
3017347	12-09	Excel; KBs 2910902, 2910929, 2920790, and 2984942	Install
3017349	12-09	MS Office; KBs 2553154, 2596927, and 2726958	Hold

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.