BCDEdit Advance Configuration Explained

 

The Bcdedit.exe command-line tool modifies the boot configuration data store. The boot configuration data store contains boot configuration parameters and controls how the operating system is booted. These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the nonvolatile RAM entries (in Extensible Firmware Interface-based operating systems). You can use Bcdedit.exe to add, delete, edit, and append entries in the boot configuration data store.

 

Commands that operate on a store

/createstore: Creates a new and empty boot configuration data store.

/export: Exports the contents of the system store to a file. This file can be used later to restore the state of the system store.

/import: Restores the state of the system store using a backup file created with the /export command.

/sysstore: Sets the system store device (only affects EFI systems, does not persist across reboots, and is only used in cases where the system store device is ambiguous).

Commands that operate on entries in a store

/copy : Makes copies of entries in the store.

/create : Creates new entries in the store.

/delete: Deletes entries from the store.

/mirror: Creates mirror of entries in the store.

Commands that operate on entry options

/deletevalue: Deletes entry options from the store.

/set: Sets entry option values in the store.

Run bcdedit /? TYPES for a list of datatypes used by these commands.

Run bcdedit /? FORMATS for a list of valid data formats.

Commands that control output

/enum: Lists entries in the store.

/v : Command-line option that displays entry identifiers in full, rather than using names for well-known identifiers. Use /v by itself as a command to display entry identifiers in full for the ACTIVE type.

Running "bcdedit" by itself is equivalent to running "bcdedit /enum ACTIVE".

Commands that control the boot manager

/bootsequence: Sets the one-time boot sequence for the boot manager.

/default: Sets the default entry that the boot manager will use.

/displayorder : Sets the order in which the boot manager displays the multiboot menu.

/timeout: Sets the boot manager time-out value.

/toolsdisplayorder: Sets the order in which the boot manager displays the tools menu.

Commands that control Emergency Management Services for a boot application

/bootems : Enables or disables Emergency Management Services for a boot application.

/ems : Enables or disables Emergency Management Services for an operating system entry.

/emssettings: Sets the global Emergency Management Services parameters.

Command that control debugging

/bootdebug : Enables or disables boot debugging for a boot application.

/dbgsettings: Sets the global debugger parameters.

/debug: Enables or disables kernel debugging for an operating system entry.

/hypervisorsettings: Sets the hypervisor parameters.

Note: Before you play with BCDEdit make sure you have made a proper backup

Backup BCDEdit:

To make a backup of your current BCD registry, call the BCDEdit /export command, as shown here.

Start under search type in CMD. Right Click and Run as administrator.

bcdedit /export backupbcd.bcd

 

Restore BCDEdit:

Start under search type in CMD. Right Click and Run as administrator.

bcdedit /import backupbcd.bcd

 

How to run the Command

Start under search type in CMD. Right Click and Run as administrator.

Type in bcdedit /enum all

This will show you all Startup entries. Likewise you could run other command to view and modify the boot settings.

How to Change the Default Operating System Entry

First we have to view the current Boot Configuration

Start under search type in CMD. Right Click and Run as administrator.

bcdedit /enum {bootmgr}

Then

First run the below command to view the current entry

Start under search type in CMD. Right Click and Run as administrator.

bcdedit /enum

To change the Boot entry type in the following command

bcdedit /default {new entry}

For example: bcdedit /default {7f17102e-bc3b-11df-bd74-f9bb1d9e0438}

Once you do that run the follow command to see the current Boot entry

bcdedit /default {current}

 

To Change the Time out Values

Start under search type in CMD. Right Click and Run as administrator.

Then type in bcdedit /timeout 3

 

How to Change the Order of Boot Manager

Start under search type in CMD. Right Click and Run as administrator.

bcdedit /display {current} {7f17102e-bc3b-11df-bd74-f9bb1d9e0438}

 

How to Remove a Boot Entry

Start under search type in CMD. Right Click and Run as administrator.

bcdedit /displayorder {Boot ID} /remove

For example: bcdedit /displayorder {7f17102e-bc3b-11df-bd74-f9bb1d9e0438} /remove

*Tips taken from Windows 7 Resource Kit

Best Practices for Creating a Secure Guest Account

 

In some environments, you might need to set up a Guest account that can be used by visitors. Most of the time, you’ll want to configure the Guest account on a specific computer or computers and carefully control how the account can be used. Here are some best practices to follow when creating a secure Guest account:

Enable the Guest account for use

By default, the Guest account is disabled, so you must enable it to make it available.

Go to Start | Right Click on Computer and Click on Manage

Now Expand Local Users and Groups and Select Users.

On your Right Side Pane you’ll find Guest. Double Click on Guest

Clear the Account Is Disabled check box. Click OK.

Set a secure password for the Guest account

By default, the Guest account has a blank password. To improve security on the computer, you should set a password for the account.

Right-click Guest, and then select Set Password.

Click Proceed at the warning prompt.

Type the new password and then confirm it. Click OK twice.

Ensure that the Guest account cannot be used over the network

The Guest account shouldn’t be accessible from other computers. If it is, users at another computer could log on over the network as a guest.

Go to Start under search  type secpol.msc 

Expand Local Policies Branch under that select User Rights Assignment

Double Click on Deny Access To This Computer From The Network

Click on Add User or Group and Type in Guest there and Click OK twice.

 

Prevent the Guest account from shutting down the computer

When a computer is shutting down or starting up, it is possible that a guest user (or anyone with local access) could gain unauthorized access to the computer. To help deter this, you should be sure that the Guest account doesn’t have the Shut Down The System user right.

Go to Start under search  type secpol.msc 

Expand Local Policies then expand User Rights Assignment

Make sure Shut Down The System policy doesn’t list the Guest account.

Prevent the Guest account from viewing event logs

To help maintain the security of the system, the Guest account shouldn’t be allowed to view the event logs.

Go to Start under Search type in regedit then go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

Look for three important Registry Keys

• Application
• Security
• System

Make sure each of these subkeys has a DWORD value named RestrictGuestAccess with a value of 1. To check that double click on RestrictGuestAccess 

Source: http://technet.microsoft.com/en-us/magazine/ff687018.aspx

Command-Line Switches for Disk Cleanup and How to Automatic Disk Cleanup

 

Disk Cleanup offers some cool command-line switches that are documented only in a pair of obscure Knowledge Base articles. Through the use of these switches, you can save your preferences and rerun the cleanup process automatically using those settings. To do so, you need to use the following switches with Cleanmgr.exe:

/Sageset:n Opens a dialog box that allows you to select Disk Cleanup options, creates a registry key that corresponds to the number you entered, and then saves your settings in that key. Enter a number from 0 through 65535 in place of n.

/Sagerun:n Retrieves the saved settings for the number you enter in place of n and then runs Disk Cleanup without requiring any interaction on your part.

To use these switches, follow these steps:

1. Open a Command Prompt window and type the command cleanmgr /sageset:200. (The number after the colon is completely arbitrary; you can choose any other number from 0 through 65535.) Note that you must supply credentials from a member of the Administrators group to begin this task.

2. In the Disk Cleanup Settings dialog box, choose the options you want to apply whenever you use these settings.

3. Click OK to save your changes in the registry.

Automatic Disk Cleanup:

1. Then go to Start under Search type in Task Scheduler

2. Start the Create Basic Task wizard.

3. Choose how often you want to run it

4. Then under Action select Start a Program

5. Under Program / Script type in  cleanmgr.exe and type /sagerun:200 in the Add Arguments box.

6. Then Click Next and Finish

Repeat steps 1–6 for other Disk Cleanup options that you want to automate.

Windows Defender from the Command Line

 

There are few command lines for Windows Defender

The basic usage at the command prompt is:  MpCmdRun.exe [command] [-options]

You have to elevate the command prompt to run these commands i.e.

Start | CMD | Right Click and Run as administrator |

Then we have to navigate to the Root directory i.e.

cd Program Files\Windows Defender\

Command	Description
-Trace [-Grouping #] [-Level #]	Starts diagnostic tracing
-RemoveDefinitions [-All]	Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-Scan [-ScanType]	Scans for malicious software
-SignatureUpdate	Checks for new definition updates
-GetFiles	Collects support information
-RestoreDefaults	Resets the registry values for Windows Defender settings to known good defaults

Tip by Matthew Graven, TechNet Tips Editor

Troubleshoot Problems with the Windows Update Client

 

Occasionally, you might discover a client that isn’t automatically installing updates correctly. Such clients are typically identified during software update audits. To identify the source of the problem, follow these steps:

1. Determine the last time the client was updated. This can be done in two different ways—by checking the client’s registry (the most reliable technique) or, if you use Windows Server Update Services (WSUS), by checking the Reports page on the WSUS Web site.
To check the client’s registry, open the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results

registry key. In each of the Detect, Download, and Install subkeys, examine the LastSuccessTime entry to determine when updates were last detected, downloaded, and installed.

To check the WSUS server, open the Update Services console on the WSUS server. Click the Reports icon and then click Computer Detailed Status. Browse the com¬puters to find the problematic computer and examine the updates that have been successfully installed, as well as those that have not yet been installed.

2. Examine any error messages returned by the Windows Update client by viewing the client’s %SystemRoot%\WindowsUpdate.log file. This text file contains detailed output from the Windows Update client, including notifications for each attempt to find, download, and install updates. You can also use the WindowsUpdate.log file to verify that the client is attempting to access the correct update server. Search for any error messages in the Microsoft Knowledge Base for more troubleshooting information.

 

3. If you are using WSUS, verify that the client can connect to the WSUS server. Open a Web browser on the client and go to http://<WSUSServerName>/iuident.cab. If you are prompted to download the file, this means that the client can reach the WSUS server and it is not a connectivity issue. Click Cancel. If you are not prompted to download the file, you might have a name resolution or connectivity issue, or WSUS is not config¬ured correctly. Troubleshoot the problem further by identifying why the client cannot communicate with the WSUS server using HTTP.

 

4. If you can reach the WSUS server, verify that the client is configured correctly. If you are using Group Policy settings to configure Windows Update, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to check the computer’s effective configuration. Within RSOP, browse to the Computer Configuration\Administrative Templates\Windows Components\Windows Update node and verify the configuration settings.

 

5. If you think WSUS is not configured correctly, verify the IIS configuration. WSUS uses IIS to update most client computers automatically to the WSUS-compatible Automatic Updates. To accomplish this, WSUS Setup creates a virtual directory named /Selfupdate under the Web site running on port 80 of the computer on which you install WSUS. This virtual directory, called the self-update tree, holds the latest WSUS client. For this reason, a Web site must be running on port 80, even if you put the WSUS Web site on a custom port. The Web site on port 80 does not have to be dedicated to WSUS. In fact, WSUS uses the site on port 80 only to host the self-update tree. To ensure that the self-update tree is working properly, first make sure a Web site is set up on port 80 of the WSUS server. Next, type the following at the command prompt of the WSUS server:
cscript <WSUSInstallationDrive>:\program files\microsoft windows server update services\setup\InstallSelfupdateOnPort80.vbs

If you identify a problem and make a configuration change that you hope will resolve it, restart the Windows Update service on the client computer to make the change take effect and begin another update cycle. You can do this using the Services console or by running the following two commands:
net stop wuauserv
net start wuauserv

Source: http://technet.microsoft.com/en-us/magazine/gg153542.aspx

Local Group Policy Editor Tweaks:

 

In this article I’ll show you few tips that you can do using GP Editor

Preventing Access to Registry

This article I’ll show you how to disable access to Registry.

· Go to Start and under search type in GPEDIT.MSC

· In the Local Group Policy Editor, open the User Configuration | Administrative Templates | System branch.

· Double-click the Prevent Access to Registry Editing Tools policy.

· Click Enabled.

· In the Disable Regedit from Running Silently? list, click Yes.

· Click OK.

Once you set this policy, you won’t be able to use the Registry Editor

Disabling Internet Explorer’s Security and Privacy tabs

If you want to prevent someone accessing Internet Explorer’s Security and Privacy Tab this article will show how to do it.

• In the Local Group Policy Editor, select the User Configuration | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel branch.

• Double-click the Disable the Privacy Page policy.
• Click Enabled and then click OK.
• Double-click the Disable the Security Page policy.
• Click Enabled and then click OK.

If you go under Advance branch there you have an option to prevent users from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings will allow the users to reset all settings changed since install, delete browsing history and disable add-ons that are not preapproved

• Double-click the Don’t not allow resetting Internet Explorer settings
• Click Enabled and then click OK.

Enabling the Shutdown Event Tracker

When you select Start | Shut Down, Windows 7 proceeds to shut down without any more input from you (unless any running programs have documents with unsaved changes). That’s usually a good thing, but you might want to keep track of why you shut down or restart Windows 7 or why the system itself initiates a shutdown or restart. To do that, you can enable a feature called Shutdown Event Tracker. With this feature, you can document the shutdown event by specifying whether it is planned or unplanned, selecting a reason for the shutdown, and adding a comment that describes the shutdown.

1. In the Local Group Policy Editor, navigate to the Computer Configuration | Administrative Templates | System branch.
2. Double-click the Display Shutdown Event Tracker policy.
3. Click Enabled.
4. In the Shutdown Event Tracker Should Be Displayed list, select Always.
5. Click OK.

The Shut Down Windows dialog box appears with the Shutdown Event Tracker feature enabled.

To enable the Shutdown Event Tracker on systems without the Local Group Policy Editor, open the Registry Editor and dig down to the following key:

HKLM\Software\Policies\Microsoft\Windows NT\Reliability

Change the value of the following two settings to 1:

ShutdownReasonOn

ShutdownReasonUI

Thanks to Paul McFedries for these tips

Parental Controls and Family Safety on Windows 7

 

Keeping kids safe online isn’t always easy for parents. Especially when the parents are not a tech savvy. Parental controls are a great first step to keeping children safe online. You don’t need to be a Computer expert to set this up. This post I’ll explain how to setup Parental Control with Windows 7 with help of Windows Live.

Note: I’m writing this post assuming that you already have an Administrator account which is password protected and a Standard account for your kids. If not please create a standard account and create password for administrator. Try using strong password so kids can’t figure it out easily.

Using the Built-In Parental Controls

Windows 7 provides three options for controlling how your children (or even you) can use the computer. There are three types

• Time Limits – How much hours you could use your System
• Games – Where your kid can play games in the System set the rating and content types that are allowed.
• Allow and Block Specific Programs - Select which programs the child can run.

Setup Parental Control

Logon to your Computer as an Administrator

Go to Start | Control Panel | User Accounts and Family Safety | Parental Controls

You’ll reach the screen as you seen in the below screen shot.

 

Then double click on “Test”

To set the Time Limit Click on “Off”

Here you can set the Time Limit. Once you set the Time Limit Click OK.

Then to set the Games and its preferences select “Off” next to Games.

There you can Select if you can Play Games under that User account. If you want to set the rating and Content type select “Set game setting”

The there are lot of Content when you scroll down for example

Check on those boxes the one you prefer the Click OK once your done. Then if you want to just Allow specific games the Select “Block or Allow specific Games”

Once this screen you could choose the options that you want and Click OK. Then Click OK again to come back to the Main screen.

Now to Allow or Block specific application then you could Select “Allow and Block specific programs”

On this screen you could select the Application that User want to use by Click that Check boxes. To add additional one that is not in the list browse and select them. Once you did that Click OK.

Setting up with Windows Live Family Safety

To setup Windows Live Family Safety account Family Safety first Download the Program from http://explore.live.com/windows-live-family-safety

Once you Download and install the application you have to go to Control Panels | User account and Family Safety | Parental Control | There under from the list of providers you’ll have a drop down from that Drop down select Windows Live Family Safety. Once you select that it’ll prompt you to type in the Live ID and Password. If you don’t have one go ahead and create an new ID or sign in with an existing ID.

Select the check box next to the Windows account of each family member you want to monitor on that computer, and then click Next or Save.

If you want to monitor someone who doesn’t have a Windows account, click Create a new Windows account, enter their name, and then click Create account. Make sure match your existing Family Safety members to their Windows accounts. Windows account on the computer for someone that hasn’t used Family Safety before, you’ll see them at the bottom of the list, Add (name). When you choose this option, Family Safety creates a new Family Safety membership for them with their Windows account name.

If you don't have passwords for Windows administrator accounts or accounts you're not monitoring with Family Safety, you'll see the Add passwords screen. Click Add passwords. Click Next and you’ll see the Windows accounts that Family Safety is now monitoring on the computer.

Here's how to customize your child’s settings

1, First sign in to the Family Safety website with a parent’s Windows Live ID.

2, Click Edit settings under the name of the child you want to adjust settings for.

3, On your child’s settings page, you can see an overview of their current settings, and choose what you want to adjust.

Customize Web filtering:

Click Web filtering, make sure Turn on web filtering is selected, and then select a web filtering level:

• Select Strict to block all websites that aren't child friendly or on the allow list.

• Select Basic to allow websites except those with adult content and anonymizer websites.

• Select Custom to allow and block website categories manually. To allow a website category, select it. To block a website category, clear its check box.

Click Save.

Allow or block a website

• Under Allow or block a website, type or paste into the box the web address of the website that you want to allow or block.

• Select an option from the list, click Add, and then click Allow or Block.

• Click Save.

Manage your child's contact list

You can choose who your kids can communicate with on Windows Live Hotmail, Windows Live Messenger, and Windows Live Spaces by managing their contacts.

Here is how:

• Click Contact management, and then click add your child's Windows Live ID.

• If your child has a Windows Live ID, click Sign in, and then sign in with their ID.

• Select the Windows Live programs and services you want to allow your child to use.

• Family Safety automatically adds a child's parents to their contact list. To allow your child to communicate with someone else, enter their name and e-mail address, and then click Add.

• To allow only parents to add or remove contacts, clear the Allow child to manage their own contact list check box.

• To allow your child to add or remove their own contacts, select the Allow child to manage their own contact list check box.

• You’ll be able to see your child's contact list, but you won’t have to receive requests from them for additional contacts.

• Click Save.

Here's how to view and respond to requests

• On any computer, sign in to the Family Safety website with your Windows Live ID.
• On the Family summary page, under Requests, click (number) requests.
• To show any comments your child added, click the arrow next to the web address.
• Click the arrow next to Select a response, and then click Approve for this account only, Approve for all accounts, or Deny.
• When you're done responding to requests, click Save.

Here's how to turn on activity reporting

• On any computer, sign in to the Family Safety website with your Windows Live ID.
• On the Family summary page, click View activity report next to the name of the child you want to turn activity reporting on for.
• Select Turn on activity reporting.
• Click Save.

Here's how to view activity reports

• On any computer, sign in to the Family Safety website with your Windows Live ID.
• To view reports of your child's web activity, do one of the following:
• To see a list of websites that your child has visited or tried to visit since activity reporting was turned on, click Web activity.
• To filter the list of websites shown, select the computer, Windows account, and date range you want, and then click Show activity. To sort the list of reported websites by a particular column, click the column header. To show only the websites that were blocked, click Show blocked activity only.
• If you don't see any activity listed, try entering a larger date range, and then click Show activity.
• To see a list of websites accessed by non-browser programs, such as auto-updater programs, click Other Internet activity.
• To view reports of your child's computer activity, do one of the following:
• To see a list of times your child used the computer, click Computer activity, and then expand Sessions.
• To see which programs your child used, click Computer activity, and then expand Programs.
• If you don't see any activity listed, try entering a larger date range, and then click Show activity.
• To see which files your child downloaded, click Computer activity, and then expand File downloads.
• To see which games your child played, click Computer activity, and then expand Games.

Your done setting up the Parental Control account settings.