Windows 7 installation notes
Last modified: Sun Jun 2 10:46:55 EDT 2019
These are notes from my installation of the original release
of Windows 7 Ultimate x64 in July 2010. Your requirements may
Notes added during a reinstall using Windows 7 Ultimate x64 SP1 U in
2014-12 are indicated by dark blue
Running the install
- The default behavior of Windows 7 is to create separate boot and root
partitions. To get the entirety of Windows 7 to install in a single
partition that can be imaged and rewritten conveniently from Linux, partition
the drive in Linux. Lilo may
require the ignore-table option after Windows installation.
- As with XP, the account created during install becomes the working
Administrator account, but there is another Administrator account that is
disabled by default. Create all additional accounts as Standard
- Unlike previous versions of Windows, no configuration choices can be
made during the installation, other than default keyboard and language.
- The much hyped "XP mode" is not even included on the DVD. It's a
big download that requires activation and Windows Genuine Advantage BS.
Windows (Microsoft) Update
- The option to download updates for Office, etc. (Microsoft Update),
rather than only Windows updates (Windows Update), is not
available except in combination with the option to turn on automatic
- However, once Microsoft Update has been enabled, automatic
updates can be turned right back off again and the other updates will
still be available when update is run manually.
- 2014: The option to enable Microsoft
Update was broken by IE 11. "Get updates for other Microsoft products.
>Find out more<" goes to a broken web page that does nothing. The
workaround is to add microsoft.com under compatibility view settings in IE 11
and then follow "Find out more."
- Firewall is already enabled.
- Disable the following services for Microsoft Networking:
- SSDP Discovery
- TCP/IP NetBIOS helper
- Windows Time
- Uncheck "Allow Remote Assistance" under Control Panel → System and
Security → System → Advanced system settings → Remote.
On the same screen, ensure that Remote Desktop is disabled.
- Local Area Connection Properties
- Uncheck IPv6 if not applicable (can't uninstall).
- Uninstall File & Printer Sharing.
- Uninstall Client for Microsoft Networks.
- Uninstall link-layer stuff.
- Under IPv4 Properties → Advanced, disable NetBIOS and DNS registration.
Some things that were services in XP (e.g., telnet) are now found under
- On a standalone install, AppLocker is found under Local Security Policy → Security Settings → Application Control Policies.
- The Application Identity service must be started for AppLocker to
work. Don't set it to Automatic until rules have been created and
- The default rules for AppLocker (added via Action → Create Default
Rules in each category) say that BUILTIN/Administrators should be able to run
executables or .msi files from any path. Unfortunately, for whatever
reason, executables and .msi files are still blocked for
administrators. The workaround is to add similar rules that specify the
individual administrator account instead of the Administrators group.
- Delete the default rule that allows Everyone to run any signed .msi
- The default rules are inconsistent in whether they specify * or *.* for
- When AppLocker blocks something, sometimes a notification pops up but
sometimes it fails silently. Check the AppLocker event log (Event
Viewer → Applications and Services Logs → Microsoft → Windows
Data Execution Prevention
By default, Data Execution Prevention (using the NX, No eXecute, or XD,
eXecute Disable bits) is enabled only for Windows operating system
executables. The setting to enable it for everything is buried under
Control Panel → System and Security → System → Advanced system
settings → Performance → Settings → Data Execution
- Turn off AutoPlay in every account.
- Turn off Tablet PC Components under Windows Features.
- Maybe disable hibernation (run Command Prompt as Administrator,
powercfg -h off, and ensure that hiberfil.sys goes away). APC PowerChute re-enables hibernation at installation
without asking, but you can disable it afterward and it only whines.
- Run Performance Information and Tools.
- Run ClearType Text Tuner.
- Set text size to Medium.
- Start Internet Explorer and patiently go through the entirety of the
first run wizard in every account. Cancelling the first run wizard
causes many invasive "features" to be enabled without the user's knowledge or
consent. 2014: With IE 11 it has
been reduced to a single "take it or leave it" choice: do you want the
"recommended" settings or not? You then have to dive into buried menus
to find out what it did or to change it.
- By default, SSDs and USB flash drives will be subjected to scheduled
automatic defragmentation (duh). To turn off all automatic defragging,
run Disk Defragmenter, choose Configure Schedule, and select Never Run.
(The option to unselect specific volumes is broken: you can uncheck the
drives, but the OK button is grayed out.) 2014: This time, click on "Configure schedule...," clear the
checkbox next to "Run on a schedule," hit OK; then on the parent screen it
says "Scheduled defragmentation is turned off."
Office 2010 (retail box)
- To get the 64-bit version you have to manually run the setup program
in the x64 subdirectory on the installation DVD.
- Got a bogus error about not enough memory to load the font or something
the first time around. Did not repeat on second install.
- User reported repeated hangs when trying to Save As. Log message
details said "Cross thread Deadlock." Problem went away after reboot.
- Was eventually forced to switch to the 32-bit version because of
Excel crashing when trying to print.
Firefox and Thunderbird
- To copy in a profile, it needs to go under
\Users\Somebody\AppData\Roaming (with the usual edit to profiles.ini).
The one under \Users\Somebody\AppData\Local is just cache.
- The account configurator in T-Bird 3.1.1 is buggy. Once it
gets stuck on the wrong options, you pretty much have to delete your
AppData Thunderbird directories and start over.
- The profile to be moved is under \Users\Somebody\AppData\Local\Google. There is no corresponding directory under Roaming.
- Routine auto-updates of virus definitions run just fine without an administrator password.
- Installing AVG causes Windows Defender to be disabled.
- As of AVG 2015, the notification spam has gotten
so bad that I turned off all notifications.
- Abandon all hope.
- Updates to the QuickBooks software need an administrator password.
Payroll updates do not.
- QuickBooks runs updates from the ProgramData directory, necessitating a
special case in AppLocker (Exe Publisher rule for Intuit).
- QuickBooks installation installs MSXML and an old Flash plugin for IE
(32-bit only) without asking. Update or de-install the Flash plugin
immediately afterward to cure the security risk.
- Every QuickBooks installation or update always silently changes the
default printer to QuickBooks PDF Converter. Change it back to avoid a
lot of drama the next time somebody tries to print something.
- The QuickBooks PDF Converter is broken as installed, and will (a) fail, (b) hang QuickBooks, and (c) keep setting itself as the default printer. To fix (abridged from Intuit's long version):
- Right click QuickBooks PDF Converter
- Printer properties
- Select NUL:
- Check Spool print documents
- Uncheck Enable advanced printing features
- Check Print directly to printer
- QuickBooks never exits normally; it always ends with an application crash notification from Windows.
- Don't forget, you have to start a browser before you ask QuickBooks
to connect to the web, or it won't be able to figure it out.