With Windows 8, off isn’t really off

Henri presents the best Wackys of 2012

From the Windows Secrets editors As is our tradition, this holiday season we present the Best of Wacky Web Week from the past year. (Yes, technically the season is over, but because this issue was put together last week, it’s close enough.) Here are the Top 10 Wackys from 2012. But first, we must present a new video from one of our favorite online contributors: Henri, the philosopher cat. In the fifth of his existential ruminations, Henri muses on the holidays — and on sharing with others. Play the video

---

#1 Well-choreographed mayhem in a town square
	Who wouldn’t want drama served up only when you asked for it? And if it were well executed, fast, stylish, and in the end funny, what more could you ask for on a quiet day in a calm country? You’re in luck! And you don’t even have to be in Belgium to watch it. Play the video
#2 Texting while driving: A required tutorial
	We at Windows Secrets obviously don’t use Wacky Web Week to demonstrate our devotion to best practices. By their nature, best practices are rarely wacky. But this week, we’ve found a driving test both devilishly pedagogical and too delicious to keep to ourselves. We’re revisiting Europe for this experience. The town squares and roads in Belgium are serving up spectacles. Play the video
#3 Henri’s existential ennui continues
	Perhaps you were unaware that a handsome but disaffected French intellectual named Henri has been speaking his piece on the Internet. Henri will tell you he’s surrounded by morons. But that’s no reason to avoid his company — au contraire. After you meet the subtle Henri in this video, you might experience an expansion of understanding — for which Henri would not congratulate you. But go ahead: enjoy it anyway. Play the video
#4 Hard news from Pippa the weathergirl
	Whatever your opinion about global warming, it’s a topic as ripe for satire as it is for serious discussion. Happily for those of us who like dark humor, there’s a weathergirl who’s ready with the seven-day forecast — and willing to acquaint us with our bleak fate. Play the video
#5 Maybe a bit too much miniature craftsmanship?
	If you’re a model-train enthusiast, perhaps you know about the miniature world that Hamburg, Germany, has captured and placed on display in its warehouse district. If you haven’t seen or heard of it, well — Hamburg has 900 model trains (with 12,000 wagons) and numerous miniature planes and automobiles with which to fascinate you. You’ll also find tiny fire-breathers, traveling animals, and “surprisingly strong girls.” You’re certain to be mesmerized by the recitation of statistics as well as the spectacle on view. Play the video
#6 Beautiful, strange, and highly disciplined
	Since its founding in Montreal in 1984 by Guy Laliberté and Daniel Gauthier, Cirque du Soleil has raised its tents all over the world — and sent out armies of acrobats, contortionists, clowns, dancers, and musicians to entertain even larger armies of admirers. Amazingly, every new Cirque du Soleil show manages to delight its audiences with startling, never-before-seen acts. Luckily, we can experience some of these feats in a trailer for “Alegría,” now touring cities throughout Europe. Play the video
7 Glamorous Vancouver, B.C., can take a joke
	We at Windows Secrets live in Seattle, which is practically next door to one of the most beautiful cities on the planet — Vancouver, British Columbia. But we think very highly of our city, too, which might explain why we’re eager to spread less-flattering (but true, of course) facts about Vancouver. Some of these you’ll find in this week’s video. But just so you know, Canadians made this video and thoroughly documented the stereotypes you’re about to see. Stylish Vancouver, stuffed to the skyline with civilized denizens of the British Commonwealth, can also laugh at itself! Play the video
#8 Tech-savvy magician is an artful, honest liar
	Magician Marco Tempest used an application he wrote to synchronize videos across the screens of multiple iPods — which he collected from audience members just before show time — for a TED talk last summer. His demo worked just like (and with) sleight of hand, which is impressive under any circumstances but especially when computer code is involved. His patter was a genial meditation on deception: all of it charming and truly skillful. Play the video
#9 Three inanimate dancers: Kite choreography
	Ray Bethell is a world-champion, professional kite flyer from Vancouver, British Columbia. He has managed stacks of kites in the air — as many as 39 at a time. In this video, he flies three kites balletically. Enjoy the show. Play the video
#10 Middle Earth flies Air New Zealand
	Middle Earth didn’t originate in New Zealand, but thanks to the celebrated movies based on the famous Lord of the Rings trilogy and filmed there, Middle Earth is pretty much part of the Kiwi landscape now. To celebrate the Hobbit (and the rest of the adventurers in these stories), Air New Zealand has produced an epic safety video. It’s certain to surprise and entertain jetloads of tourists on their way to see the fictional and real life of a dazzling country. Play the video

With Windows 8, "off" isn't really off

Win8’s default shutoff and startup processes are unlike those of any previous Windows version.

Completely shutting Win8 down — or doing a truly cold boot — requires a few extra steps!

Why Win8 doesn’t fully power down by default

Reader Pete was surprised he couldn’t access the BIOS in his new Win8 notebook by restarting the machine.

• “I just bought a new laptop with Windows 8 on it and ran into quite an interesting problem that I thought Fred (and the rest of the Windows Secrets gang) might find interesting. The machine in question is an Acer V5 Aspire laptop.

  “I wanted to get into the BIOS. The instructions and posts on the Acer forums both said to tap the F2 key repeatedly when the Acer logo screen appears during power-up. No matter how quickly I began tapping the F2 key after a cold restart, I could never get into the BIOS. I called Acer tech support and they described how I could boot to the BIOS from within Windows. Although this worked, it didn’t solve the problem of getting into the BIOS at power-up. I then spoke with a Level 2 technician who was quite knowledgeable.

  “Acer’s shutdown icon lets you select Sleep, Hibernate, Restart, or Shutdown. According to the tech, you must hold down the Shift key while clicking the shutdown icon — and continue to hold Shift until the machine fully powers off. I was then able to enter the BIOS during system startup.

  “The tech stated that Windows 8 doesn’t really shut down when you click the shutdown icon (or go to Power via the Charms bar/Settings). Instead, Win8 goes into a sort of ‘deep sleep’ mode, similar to hibernate. This is one of the techniques the OS uses for fast boots. However, when booting from this ‘deep sleep’ mode, you can’t enter the BIOS via F2. You can get into the BIOS only after a ‘hard’ shutdown (for lack of a better term).

  “I then tried the shutdown command Fred used to create a custom shutdown tile [Nov. 1, 2012, item]. That command also performed the necessary ‘hard’ power-down needed to access the BIOS.

  “Have you heard of this power-down mechanism — where power-down is really just a form of hibernate/deep sleep? Do you suppose this is something unique to Acer machines or common to all Windows 8 machines?”

It’s normal behavior for Win8, Pete. By default, that operating system’s core never shuts down all the way! It’s part of a new feature — fast startup.

When you issue a standard power-down command to Win8, it carries out a hybrid shutdown. Win8 first closes and terminates all user sessions in the expected way. Next, it copies what’s still running in RAM (primarily, the live core of the operating system — the system kernel) onto the hard drive. It then turns off the system hardware.

When Win8 starts up after a hybrid shutdown, it performs a hybrid boot. As soon as the hardware’s ready, the core of the OS reloads from the hard drive; Win8 then picks up right from where it left off. Thus, the OS itself is up and ready to go in a flash. You still have to reload your apps and data the normal way, from scratch.

For more info on Win8’s Fast Startup hybrid shutdown/hybrid boot, see the MSDN blog post, “Delivering fast boot times in Windows 8.”

That’s how it works on most current hardware. However, on some of the newest systems, Win8 can employ an even faster option via a new kind of low-level firmware — Unified Extensible Firmware Interface (UEFI; Wikipedia info). The UEFI replaces the traditional BIOS that’s been a part of every PC since the first IBM PC shipped in 1981.

Simply put, the BIOS (Basic Input/Output System) boots and runs the PC until an operating system (Windows, Linux, etc.) wakes up and takes over. The BIOS has worked well for over 30 years, but with new hardware and software, it’s showing its limitations.

UEFI acts like a BIOS for operating systems that expect to see a BIOS, but it also adds new functions for UEFI-aware OSes, such as Win8.

On a UEFI-equipped PC, Windows 8 can have astonishingly fast startups — especially if the system is also equipped with a solid-state hard drive. How fast? Check out this YouTube Microsoft video, which shows a Win8 laptop booting from dead-off to Start Screen in about seven seconds!

(For a more detailed explanation of Win8/UEFI technology, see the MSDN blog post, “Designing for PCs that boot faster than ever before.”)

As you discovered, Pete, you need to take an extra step to fully shut down Windows 8. There are actually several ways to do so:

• To bypass the hybrid shutdown/boot process, do a command-line shutdown (e.g., shutdown.exe /s /f /t 00). Or embed the command in a custom tile, as I describe step by step in the Nov. 1, 2012, LangaList Plus item, “Add custom tiles to the Win8 start screen.”
• Use Acer’s Shift-key trick — other vendors probably provide something similar to trigger a complete shutdown.
• Disable fast startup via the Shutdown settings in Win8’s Power Options menu. Open the Win8 Control Panel and click Hardware and Sound/Power Options/System Settings. Scroll to the bottom of the dialog box and deselect Turn on fast startup (highlighted in Figure 1).
  

  Figure 1. Disabling Win8's fast-startup option will let the OS shut down completely.

New technologies often require some rethinking and/or relearning of the traditional ways of doing things. You’re among the first to run into this, Pete, but many of us are right behind you!

Wi-Fi acronym soup: WPS, WPA, WPA2, etc.

John Richer is understandably bothered by some confusing Wi-Fi terminology.

• “In reference to the Dec. 12, 2012, Top Story, ‘Routers using WPS are intrinsically unsafe,’ I’m surprised to see there is no reference to the WPA protocol.”

WPA and WPS sound similar, but they’re entirely different technologies that perform entirely different tasks.

WPA (Wi-Fi Protected Access) and WPA2 (Wi-Fi Protected Access Version 2) are security protocols that use encryption for secure access and ongoing communication between connected Wi-Fi devices. (See this Wikipedia article.)

WPA is mostly obsolete because it uses an older encryption technology that’s now relatively easy to crack. WPA2 uses a stronger encryption technology that’s immune to most forms of hacking.

WPS (Wi-Fi Protected Setup) is technology designed solely to automate the initial setup of a Wi-Fi connection (Wikipedia article). WPS doesn’t use encryption — and can actually bypass whatever encryption might otherwise be in use!

That’s the problem addressed in the Dec. 12 story. It doesn’t matter what encryption technology you use or how long and strong your passphrase is — if WPS is active, it can let devices — and hackers! — connect anyway.

That’s why the safest Wi-Fi setup is one with WPS entirely disabled.

Another Outlook/Android synching question

Alan Friedman asks:

• “Does Fred’s Nov. 15, 2012, article on synching email to an Android device apply to any POP3 email — or just to Gmail?”

Android devices typically come with a Gmail-specific app (called, not surprisingly, Gmail) and a separate, generic email app, typically called Email. Between them, your Android device can use either Gmail or just about any non-Gmail, POP3/SMTP or IMAP service you wish.

But the Google Sync tool (site) is specifically for synching Gmail to PC-based email clients such as Outlook or Thunderbird. It also lets you use Gmail while offline.

Important note: As I was writing this article, Google announced, “Starting Jan. 30, consumers won’t be able to set up new devices using Google Sync; however, existing Google Sync connections will continue to function.” (It will continue to be part of Google Apps for Business, Government and Education.)

So, if you have any interest in using Google Sync, set it up within the next month! After that, you won’t be able to set up new sync connections for free.

For more info on using Google Sync, check out a Google help page.

Reader tip: Tracking email sources using Gmail

Will Pearce’s tips tie in nicely with some recent mentions of Gmail in this column, including the preceding item.

• “I take full advantage of Google’s Gmail features and generous accounts policy to limit my exposure to spam, phishing, or email account–hacking attacks:

  “I have separate Gmail accounts for different purposes: commercial transactions, online forums (for posting) and blogs (for comments), personal blogging (for reader contacts), business correspondence, and personal correspondence.

  “I use Gmail’s email address alias feature to brand email addresses I use for online forms. That way I can track the source of an email address leak (i.e., an address that has been shared without my permission). I do this by expanding my address name with a + and a custom phrase.

  “For example, if my email address is name@gmail.com, a branded address might be name+windowssecrets@gmail.com.

  “Unfortunately, not all form fields for email addresses allow the + character. Still, I find that I can use this about 75 percent of the time.”

Thanks, Will!

Reader Will Pearce will receive a gift certificate for a book, CD, or DVD of his choice for sending the tip we printed above. Send us your tips via the Windows Secrets contact page.

A Windows-patching December to remember

Despite how it might seem at times, flawed security updates are relatively rare. When there is a problem, Microsoft typically releases an update for the update.

For example, this past December there was a bug in the patch Microsoft released to fix a font vulnerability. In this special New Year’s edition of Patch Watch, I review three problem updates released in December.

MS12-078 (2753842)

Some side effects from fixing vulnerable fonts

For every Patch Watch edition, I install offered updates on my systems and look for any problems the patches might cause. However, if a patch works on my PCs, there is no guarantee it’ll be problem-free on every PC — there’s a huge variety of PC configurations. The patches in MS12-078, for example, were intended to fix a vulnerability in TrueType and OpenType font files. Unfortunately, installing KB 2753842 had the unforeseen side effect of making fonts disappear in a few major applications such as PowerPoint, CorelDRAW, and other apps commonly used in the printing industry.

A Dec. 14, 2012, Graphics Unleashed blog post gives more details on the problem. Windows Secrets Lounge member Doug.S was also quick to note a discussion of the problem in a CorelDRAW forum

What to do: Microsoft rereleased KB 2753842 on Dec. 20, 2012. Install the new version — and if you are still having issues with this update, please post that information in the related Windows Secrets Lounge thread. I’ll do some more investigation.

931125

Root certificates causing headaches for admins

Microsoft’s Windows root-certificate updating process is confusing and often makes me nervous. Too often, we must trust that a root-cert update won’t have long-term consequences to our systems and networks. KB 931125, the December 2012 root-cert update for Windows XP, is a recent example of some unintended consequences — especially for server admins using Network Policy Server (NPS) to protect their systems.

NPS is a technology that lets admins set minimum standards for PCs that connect to a network. These standards can include installed patch levels, browsers, antivirus software, and more. You’ll find NPS typically deployed on larger networks.

Unfortunately, as noted in MS Support article 931125, KB 931125 was incorrectly offered on Microsoft Update to Vista and later systems. It was also offered via Windows Software Update Services to admins who manage client and server updates across a corporate network. Some admins failed to read the update’s fine print and installed the update on servers, causing issues with their systems, as noted in numerous Windows Server Forums posts.

Some servers, for example, stopped processing NAP requests; the only way to fix the issue was to edit the number of certificates allowed by the server — and to manually remove unneeded certs. This was necessary because servers processing SSL certificates have limited space for storing root certs. Installing KB 931125 inadvertently doubles the number of installed certificates, exceeding the servers’ limits.

What to do: Although the issue with KB 931125 impacts only servers handing SSL certificates, it’s a good reminder that we should, from time to time, review the root certificates installed on our PCs and remove expired and out-of-date certs. I’ll give step-by-step instructions in the next Windows Secrets.

2506143

Take a pass on Windows Management Framework 3.0

In the Dec. 13, 2012, Patch Watch, I recommended passing on KB 2506143, an optional Windows Management Framework 3.0 update that adds PowerShell 3.0 to your workstations and servers. My instincts proved to be on target: there are reports of problems with the update on Exchange 2007/2010 and on Small Business Server 2008/2011, as noted on the MS Exchange Team blog.

What to do: Don’t install this update until I say otherwise. If you’ve already installed it on your Small Business Server, an SBS blog offers steps to fully remove the update.

Zero-day threat for IE Versions 6, 7, and 8

On Dec. 29, 2012, an MSRC blog announced the release of Security Advisory 2794220. The original blog noted that this exploit is already in use and that MS would release a fixit as soon as possible. The patch is now available.

What to do: Your options for avoiding this latest IE threat include immediately upgrading to IE 9 or higher, or using another browser such as Firefox or Chrome. If you must use IE Versions 6, 7, or 8, install the fixit offered in MS Security Advisory 2794220.

Regularly updated problem-patch chart

This table provides the status of problem patches reported in previous Patch Watch columns. Patches listed below as safe to install will be removed from the next updated table. For Microsoft’s list of recently released patches, go to the MS Safety & Security Center PC Security page.

Patch	Released	Description	Status
2553272	08-14	Office 2010 stability/performance fixes (status change)	Skip
2598289	08-14	Office 2010 stability/performance fixes (status change)	Skip
2592687	10-23	Windows RDP 8.0 update for Win7 SP1	Skip
2574819	10-23	Adds DTLS support to Win7 SP1	Skip
2750841	11-13	MS/OpenDNS IPv6 conflict	Skip
931125	12-11	Root certificates	Skip
2506143	12-11	PowerShell 3	Skip
2779562	12-11	Time-zone fix	Skip
2735855	09-11	Windows Filtering Platform: Potential third-party firewall impact	Wait
2553402	10-09	MS FAST Search Server 2010 for SharePoint SP1	Wait
2731771	10-09	Time-zone conversion	Wait
2739159	10-09	Windows 7 encryption	Wait
2754849	10-09	SQL Server; see MS12-070 for complete patch list	Wait
2756822	10-09	Cumulative time-zone update	Wait
2745030	11-13	.NET updates; see MS12-074 for complete patch list	Wait
2647753	10-09	Printing core components — timestamp reissue	Optional
2732487	10-09	Segoe font — timestamp reissue	Optional
2770816	10-23	Install only if KB 2756872 fails; check MS Support site for details	Optional
2661254	08-14	Minimum certificate key length	Install
2720184	11-13	Excel vulnerabilities; see MS12-076 for complete patch list	Install
2727528	11-13	Windows Briefcase	Install
2761226	11-13	TrueType kernel	Install
2761451	11-13	IE 9 cumulative update	Install
2753842	12-11	Windows kernel; also KB 2779030 (UPDATE: status change)	Install
2758857	12-11	Unicode file names	Install
2760410	12-11	Word 2010	Install
2760416	12-11	Office Compatibility Pack (might be offered)	Install
2760421	12-11	Word 2007	Install
2760497	12-11	Word 2003	Install
2761465	12-11	Internet Explorer cumulative update	Install
2770660	12-11	DirectPlay	Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.