Windows 7 installation notes

Last modified: Sun Jun 2 10:46:55 EDT 2019

These are notes from my installation of the original release of Windows 7 Ultimate x64 in July 2010.  Your requirements may vary.

Notes added during a reinstall using Windows 7 Ultimate x64 SP1 U in 2014-12 are indicated by dark blue text.

Running the install

• The default behavior of Windows 7 is to create separate boot and root partitions.  To get the entirety of Windows 7 to install in a single partition that can be imaged and rewritten conveniently from Linux, partition the drive in Linux.  Lilo may require the ignore-table option after Windows installation.
• As with XP, the account created during install becomes the working Administrator account, but there is another Administrator account that is disabled by default.  Create all additional accounts as Standard User.
• Unlike previous versions of Windows, no configuration choices can be made during the installation, other than default keyboard and language.
• The much hyped "XP mode" is not even included on the DVD.  It's a big download that requires activation and Windows Genuine Advantage BS.

Windows (Microsoft) Update

• The option to download updates for Office, etc. (Microsoft Update), rather than only Windows updates (Windows Update), is not available except in combination with the option to turn on automatic updates.
• However, once Microsoft Update has been enabled, automatic updates can be turned right back off again and the other updates will still be available when update is run manually.
• 2014:  The option to enable Microsoft Update was broken by IE 11.  "Get updates for other Microsoft products. >Find out more<" goes to a broken web page that does nothing.  The workaround is to add microsoft.com under compatibility view settings in IE 11 and then follow "Find out more."

Network configuration

• Firewall is already enabled.
• Disable the following services for Microsoft Networking:
  • Server
  • SSDP Discovery
  • TCP/IP NetBIOS helper
  • Windows Time
  • Workstation
• Uncheck "Allow Remote Assistance" under Control Panel → System and Security → System → Advanced system settings → Remote.  On the same screen, ensure that Remote Desktop is disabled.
• Local Area Connection Properties
  • Uncheck IPv6 if not applicable (can't uninstall).
  • Uninstall File & Printer Sharing.
  • Uninstall Client for Microsoft Networks.
  • Uninstall link-layer stuff.
  • Under IPv4 Properties → Advanced, disable NetBIOS and DNS registration.

Some things that were services in XP (e.g., telnet) are now found under Windows Features.

AppLocker

• On a standalone install, AppLocker is found under Local Security Policy → Security Settings → Application Control Policies.
• The Application Identity service must be started for AppLocker to work.  Don't set it to Automatic until rules have been created and tested.
• The default rules for AppLocker (added via Action → Create Default Rules in each category) say that BUILTIN/Administrators should be able to run executables or .msi files from any path.  Unfortunately, for whatever reason, executables and .msi files are still blocked for administrators.  The workaround is to add similar rules that specify the individual administrator account instead of the Administrators group.
• Delete the default rule that allows Everyone to run any signed .msi file.
• The default rules are inconsistent in whether they specify * or *.* for "any path."
• When AppLocker blocks something, sometimes a notification pops up but sometimes it fails silently.  Check the AppLocker event log (Event Viewer → Applications and Services Logs → Microsoft → Windows → AppLocker).

Data Execution Prevention

By default, Data Execution Prevention (using the NX, No eXecute, or XD, eXecute Disable bits) is enabled only for Windows operating system executables.  The setting to enable it for everything is buried under Control Panel → System and Security → System → Advanced system settings → Performance → Settings → Data Execution Prevention.

Miscellaneous

• Turn off AutoPlay in every account.
• Turn off Tablet PC Components under Windows Features.
• Maybe disable hibernation (run Command Prompt as Administrator, powercfg -h off, and ensure that hiberfil.sys goes away).  APC PowerChute re-enables hibernation at installation without asking, but you can disable it afterward and it only whines.
• Run Performance Information and Tools.
• Run ClearType Text Tuner.
• Set text size to Medium.
• Start Internet Explorer and patiently go through the entirety of the first run wizard in every account.  Cancelling the first run wizard causes many invasive "features" to be enabled without the user's knowledge or consent.  2014:  With IE 11 it has been reduced to a single "take it or leave it" choice:  do you want the "recommended" settings or not?  You then have to dive into buried menus to find out what it did or to change it.
• By default, SSDs and USB flash drives will be subjected to scheduled automatic defragmentation (duh).  To turn off all automatic defragging, run Disk Defragmenter, choose Configure Schedule, and select Never Run.  (The option to unselect specific volumes is broken:  you can uncheck the drives, but the OK button is grayed out.)  2014:  This time, click on "Configure schedule...," clear the checkbox next to "Run on a schedule," hit OK; then on the parent screen it says "Scheduled defragmentation is turned off."

Applications

Office 2010 (retail box)

• To get the 64-bit version you have to manually run the setup program in the x64 subdirectory on the installation DVD.
• Got a bogus error about not enough memory to load the font or something the first time around.  Did not repeat on second install.
• User reported repeated hangs when trying to Save As.  Log message details said "Cross thread Deadlock."  Problem went away after reboot.
• Was eventually forced to switch to the 32-bit version because of Excel crashing when trying to print.

Firefox and Thunderbird

• To copy in a profile, it needs to go under \Users\Somebody\AppData\Roaming (with the usual edit to profiles.ini).  The one under \Users\Somebody\AppData\Local is just cache.
• The account configurator in T-Bird 3.1.1 is buggy.  Once it gets stuck on the wrong options, you pretty much have to delete your AppData Thunderbird directories and start over.

Chrome

• The profile to be moved is under \Users\Somebody\AppData\Local\Google.  There is no corresponding directory under Roaming.

AVG Antivirus

• Routine auto-updates of virus definitions run just fine without an administrator password.
• Installing AVG causes Windows Defender to be disabled.
• As of AVG 2015, the notification spam has gotten so bad that I turned off all notifications.

QuickBooks 2010

• Abandon all hope.
• Updates to the QuickBooks software need an administrator password.  Payroll updates do not.
• QuickBooks runs updates from the ProgramData directory, necessitating a special case in AppLocker (Exe Publisher rule for Intuit).
• QuickBooks installation installs MSXML and an old Flash plugin for IE (32-bit only) without asking.  Update or de-install the Flash plugin immediately afterward to cure the security risk.
• Every QuickBooks installation or update always silently changes the default printer to QuickBooks PDF Converter.  Change it back to avoid a lot of drama the next time somebody tries to print something.
• The QuickBooks PDF Converter is broken as installed, and will (a) fail, (b) hang QuickBooks, and (c) keep setting itself as the default printer.  To fix (abridged from Intuit's long version):
  1. Printers
  2. Right click QuickBooks PDF Converter
  3. Printer properties
  4. Ports
  5. Select NUL:
  6. Apply
  7. Advanced
  8. Check Spool print documents
  9. Uncheck Enable advanced printing features
  10. Check Print directly to printer
  11. Apply
  12. Reboot
• QuickBooks never exits normally; it always ends with an application crash notification from Windows.
• Don't forget, you have to start a browser before you ask QuickBooks to connect to the web, or it won't be able to figure it out.

KB
Home