Windows 8 Hacks

Figure 8-1.
Set up BitLocker and BitLocker to Go from here

Click the “Turn on BitLocker” link near the removable drive you want to protect. After
a few moments, a screen appears asking how you would like to unlock the drive when
you plug it in. If you use smart card-based security, turn on the option at the bottom,
which is specifically for smart cards. Like most people, though, you likely don’t have
a smart card, so turn on the checkbox for the top option: “Use a password to unlock
the drive.” Type a password, type it again to confirm, and then click Next. (See
Figure 8-2.)

Tip: If you don’t see a “Turn on BitLocker” link, click the down arrow to the right of
the name of your removable drive.

Next, you’re asked how you want to back up your recovery key (your password). This
is an extremely important step, because if you lose it, you won’t be able to read the
data on the drive you’re protecting. You can print it out and put it somewhere for
safekeeping, save it to a file, or save it to your Microsoft account. Make your choice
then click Next. (See Figure 8-3.)

252 WINDOWS 8 HACKS

Figure 8-2.
Creating a password to unlock your removable storage

Figure 8-3. 253
Choosing where to back up your recovery key

CHAPTER 8: SECURITY

After a short while, you’re told that your recovery key has been backed up. Click Next.
Now you choose whether to encrypt the entire drive, or only the space that’s already
being used. There’s a good chance that you’ll be confused by this option. But it’s
actually a simple decision. If the flash drive is new and hasn’t been used before, choose
“Encrypt used disk space only” (Figure 8-4). This is the fastest choice. It will encrypt
any new data you add, so you know for sure it will protect all your data. If you already
have data on the drive, or once had data on it, choose “Encrypt entire drive.” Make this
choice even if you’ve had data and deleted it, because otherwise, someone may be
able to recover your deleted data. Click Next, and then from the screen that appears,
click “Start encrypting.”

Figure 8-4.
Choosing whether to encrypt the entire drive, or only part of it

After a while, depending on the size of your drive, how much data is on it, and your
processor speed, you’ll get a message that the encryption is complete (Figure 8-5).
You can now take it out of your Windows device and take with you. Only someone with
the right password will be able to read it.

254 WINDOWS 8 HACKS

Figure 8-5.
Congratulations—you’ve encrypted a drive

When you plug it in, you’ll get a notice that a BitLocker-protected drive has been in-
serted into a drive. Tap the notice, type your password on the screen that appears,
and you’re ready to go.

Tip: If you don’t get a notice, you can still unlock the drive. Go to the same screen
you used to start the BitLocker encryption, and you’ll see an “Unlock drive” next
to the drive. Click that and type in your password from the screen that appears
(Figure 8-6).

Figure 8-6.
Unlocking a BitLocker-protected drive

Note that if you click the “More options” link, you’ll be able to tell BitLocker that from
now on, whenever this drive is inserted into the computer you’re using, it should be
opened automatically, without a password needing to be typed in. However, on other
devices, you’ll still need to type a password.

CHAPTER 8: SECURITY 255

When you use File Explorer, a BitLocker-protected removable disk has a different icon
than an unprotected one. If you haven’t yet unlocked it, you’ll see a locked padlock
icon, as shown in Figure 8-7. To unlock it, click it and type in the password from the
screen that appears. Once it’s unlocked, it shows up in File Explorer with an unlocked
icon.

Figure 8-7.
Unlocking a BitLocker-protected drive

Hacking the Hack

You can also protect your hard disk with BitLocker. When you get to the initial screen
for protecting portable storage, click BitLocker next to the disk you want to protect
with it, and follow the instructions.

See Also

• Hack #79, “Hide Folders and Files with the Encrypting File System”

HACK 79 Hide Folders and Files with the
Encrypting File System

Protect all the information on your PC from prying eyes using Windows’
built-in encryption scheme.

If you’re looking to protect files on a file-by-file basis or a folder-by-folder basis, rather
than all at once, you don’t need to use BitLocker. Instead, you can use Windows 8’s
Encrypting File System (EFS), which lets you easily encrypt individual files or groups
of files.

256 WINDOWS 8 HACKS

Note: The Encrypting File System is available only on Windows 8 Pro and
Enterprise.

EFS lets you encrypt only the files and folders of your choice; you can encrypt a single
file or folder or all your files and folders. Encrypted files and folders show up in File
Explorer in green, so you can tell at a glance which have been encrypted. You can work
with encrypted files and folders transparently; in other words, after you encrypt them,
you open and close them as you normally would any other file. They’re decrypted on
the fly as you open them, and then encrypted as you close them. You’re the only person
who can read or use the files. Encryption is tied to your account name, so even other
accounts on the same computer can’t read or use them, unless you specifically grant
access to certain accounts.

Note: Each time you encrypt a file, EFS generates a random number for that file
called the file encryption key (FEK). EFS uses that FEK to encrypt the file’s contents
with a variant of the Data Encryption Standard (DES) algorithm, called DESX.
(DESX features more powerful encryption than DES.) The FEK itself is encrypted
as well using RSA public key-based encryption.

EFS has a few minor limitations you should be aware of:

• EFS works only on NTFS volumes.

• EFS won’t work on compressed files. You’ll have to decompress them if you want
to encrypt them. Similarly, if you want to compress an encrypted file, you’ll have
to decrypt it.

• EFS can’t encrypt files in the C:\Windows folder or any files marked with the System
attribute.

When you work with encrypted files and folders, they appear to behave like any other
files on your hard disk. In fact, though, their behavior is somewhat different, and you
may notice files you thought were encrypted suddenly become decrypted for no ap-
parent reason. So, before you turn on encryption, you should understand the common
actions you can take with encrypted files and folders, and what the results will be.
Table 8-1 lists what you need to know.

Table 8-1. How encrypted files and folders behave

ACTION RESULT

Move or copy unencrypted files into an encrypted folder. The files are automatically encrypted.

Move or copy encrypted files from an encrypted folder to The files remain encrypted.
an unencrypted folder.

CHAPTER 8: SECURITY 257

ACTION RESULT

Move or copy encrypted files from an encrypted folder to The files are decrypted, though first you are given a warning

a non-NTFS volume. and a chance to cancel the move or copy operation.

Back up files using Windows’ backup utility. The backed-up files and folders remain encrypted.

Rename an encrypted file. The file remains encrypted after it is renamed.

Delete an encrypted file. The restorable file in the Recycle Bin remains encrypted.

Encrypting Files and Folders

To encrypt a file or folder, right-click the file or folder in File Explorer and choose
Properties→General→Advanced. The Advanced Attributes dialog box appears, as
shown in Figure 8-8.

Figure 8-8.
Encrypting a file

Turn on the “Encrypt contents to secure data” checkbox. Note that you can’t turn on
both this box and the “Compress contents to save disk space” box. You can either
compress the item or encrypt it, but not both.

Click OK, and then OK again. If you’re encrypting a folder with subfolders underneath
it, the Confirm Attributes Changes dialog box appears (Figure 8-9). You have a choice
of encrypting the folder only, or encrypting the folder plus all subfolders and all the
files in the folder and subfolders. If you encrypt the folder only, none of the files cur-
rently in the folder will be encrypted, but any new files you create, move, or copy into
the folder will be encrypted.

If you’re encrypting a file in an unencrypted folder, the Encryption Warning box will
appear. You have the choice of encrypting the file only, or the file and the parent folder.

258 WINDOWS 8 HACKS

Figure 8-9.
Encrypting files or folders using the Advanced Attributes dialog box

As a general rule, you should encrypt the folder as well as the file, because if you
encrypt only the file, you might accidentally decrypt it without realizing it. Some ap-
plications save copies of your files and delete the originals; in those instances, the files
become decrypted simply by editing them.

If you encrypt the folder as well, all files added to the folder are encrypted, so the saved
file is automatically encrypted. Click OK after you make your choice.

If this is the first time you’re encrypting a file or folder, you’ll get a pop-up notice (see
Figure 8-10) asking whether you want to back up your file encryption certificate and
key, which is a good idea. Click “Back up Now” and follow the wizard’s instructions;
your best bet is to simply choose the defaults.

Decrypting Files and Folders

You decrypt files and folders in the same way you encrypt them. Right-click the file or
folder, choose Properties→General→Advanced, clear the checkmark from the “En-
crypt contents to secure data” box. Click OK and then OK again.

Letting Others Use Your Encrypted Files

When you encrypt files, you can still share them with others and let them use them
as if they were not encrypted—a process that Windows defines as transparent. You’ll
be able to share them this way only with other users on the same computer or with
others on your network. You designate who can use the files and who can’t. To allow
specified people to use your encrypted files, right-click an encrypted file, and choose
Properties→General→Advanced. The Advanced Attributes dialog box appears. Click
Details. The Encryption Details dialog box appears, as shown in Figure 8-11. It lists all
the users who are allowed to use the file transparently. Click Add.

CHAPTER 8: SECURITY 259

Figure 8-10.
A pop-up notice asking whether you would like to back up your encryption key

Figure 8-11. WINDOWS 8 HACKS
Choosing to share an encrypted file with others

260

The Select User dialog box appears. Choose the users you want to be able to use your
encrypted files, and click OK. Only users whose computers have Encrypting File Sys-
tem certificates will show up on this list. The easiest way for someone to create a
certificate is to encrypt any file; that automatically creates their certificate.

Encrypting and Decrypting from the Command Line

If you prefer the command line to a graphical interface, you can encrypt and decrypt
using the cipher.exe command-line tool. To find the current state of encryption of the

directory you’re in, type cipher without parameters at a command prompt. cipher tells
you the state of the directory. For individual files, it lists a U next to files that are not
encrypted and an E next to those that are encrypted.

When used with parameters, cipher can encrypt and decrypt files and folders, show
encryption information, create new encryption keys, and generate a recovery agent
key and certificate.

To encrypt or decrypt a folder or file, use the complete path, filename (if you’re acting
on a file), and any appropriate switches, as outlined in Table 8-2. The /E switch
encrypts folders or files, and the /D switch decrypts them. To perform the task on
multiple folders or files, separate them with single spaces. For example, to encrypt
the \Secret and \Topsecret folders, issue this command:

cipher /E \Secret \Topsecret

Table 8-2 lists the most useful command-line switches for cipher. For more help, type
cipher /? at the command line.

Table 8-2. Command-line switches for cipher

SWITCH WHAT IT DOES

/D Decrypts the specified file or folder.

/E Encrypts the specified file or folder.

/H Displays all files in a folder, including those that have hidden or system attributes. (These are not
displayed by default).

/K Creates a new file encryption key for the user running cipher. If this option is chosen, all the
other options will be ignored.

/R Generates an EFS recovery agent key and certificate, then writes them to a .pfx file (containing
the certificate and a private key) and a .cer file (containing only the certificate).

/S Performs the operation on the folder and all its subfolders.

/U Updates the user’s file encryption key or recovery agent’s key on every encrypted file.

/U /N Lists every encrypted file and does not update the user’s file encryption key or recovery agent’s
key.

CHAPTER 8: SECURITY 261

SWITCH WHAT IT DOES
/W Wipesdatafromunuseddiskspaceonthedrive.(Whenafileisdeleted,itsdataremainsuntouched
until another file claims the unused space. /W deletes all vestiges of this data. It does not harm
/X filename existing data.)
/ADDUSER user Backs up your certificate and keys to filename.
/REMOVEUSER Adds the specified user to the file.
user Removes the specified user.
/REKEY
Updates files to use your current EFS key.

See Also
• Hack #78, “Keep Portable Storage Secure with BitLocker to Go”

HACK 80 Tell Windows 8 Apps Not to Snoop on
Your Location

Windows 8 was built to use location-based information as a way to deliver
more relevant services and information to you. If you’re worried about
being snooped on, here’s how to turn that off.

When you first set up Windows 8, you were asked whether to allow the operating
system and its apps to find your location and then use that information to deliver
better services and information to you. So if you’re using Windows 8 on a portable
device like a tablet or notebook, it can know where you are. When you use Maps, for
example, Windows 8 can let you know about stores nearby, give you directions, and
so on.

But not everybody likes the idea of their operating system and its apps knowing quite
so much about them. If you feel that way, it’s easy to turn this feature off.

Press the Windows key+I to bring up the Settings screen and select Change PC Set-
tings→Privacy. You’ll see the screen pictured in Figure 8-12.

There are only three settings here. Turn the top one off if you want to ban apps from
using your location. (If an app requires your location, it will ask if you want to turn
location information back on.) The next one doesn’t allow apps to use your name and
your account picture. And the final one sends the URLs from apps you use to the
Windows Store. Microsoft claims that this information will help improve the Windows
Store, although they haven’t detailed how.

262 WINDOWS 8 HACKS

Figure 8-12.
Changing your privacy settings

Hacking the Hack

Wondering what information Windows 8 gathers about you and how Microsoft uses
it? Head to Microsoft’s Windows 8 privacy statement.

HACK 81 Turn off the Windows 8 SmartScreen
Filter

The Windows 8 SmartScreen filter protects you from visiting dangerous
websites and downloading dangerous software. Some people worry that
the feature sends private information to Microsoft, so here’s how to turn
it off, or customize how it works, if you want.

The Internet is filled with plenty of sites that could invade your privacy or do you harm,
including nasty downloads that could harm to your computer, or invade your privacy.
To help combat these demons, Microsoft uses a feature called the SmartScreen filter,
which warns you away from dangerous websites, and blocks downloads of dangerous
files.

The SmartScreen filter was available in earlier versions of Windows, but in Windows
8, it’s been expanded. Earlier versions of the SmartScreen filter didn’t block malicious
downloads; the one in Windows 8 does.

CHAPTER 8: SECURITY 263

Some people worry that the new feature itself could invade your privacy, by allowing
Microsoft to find out what apps you’re running. No need for going into the details here,
but Nadim Kobeissi laid out his warnings at www.tinyurl.com/win8hacks2. Microsoft
discounts his arguments, as do many other people, such as the folks at Ars Technica
at http://ars.to/RaSb2t.

I’m not here to referee the argument. But I am here to give you the power to turn off
the SmartScreen Filter in Windows 8 if you’re so inclined. Just keep in mind that if you
do turn it off, you’ll be removing a level of protection from Windows 8.

That said, here’s how to go about turning it off. First, launch the Control Panel by typing
Control Panel at the Start screen, highlighting the Control Panel applet and pressing
Enter. Select System and Security→Action Center and click the down arrow next to
Security to display a long list of security-related options.

Figure 8-13.
Among the security options for Action Center is one to turn off the SmartScreen Filter

Click Change Settings underneath the Windows SmartScreen option. A screen ap-
pears with three options (see Figure 8-14).

Get administrator approval before running an unrecognized app from the
Internet

This is the default setting. It means that the SmartScreen filter is in full force. Only
an administrator can override SmartScreen after receiving a warning that an app
may be dangerous.

264 WINDOWS 8 HACKS

Warn before running an unrecognized app, but don’t require administrator
approval

This means that someone will still be warned when an app is unrecognized, but
that the person can override the warning and run the app even if he’s not an
administrator. Keep in mind that with this option, under the theory put forward
by Nadim Kobeissi, Microsoft would still get information about your apps.

Don’t do anything (turn off Windows SmartScreen)
As the name says, this turns off SmartScreen completely. You’re on your own
when it comes to Internet dangers.

Figure 8-14.
Among the security options for Action Center is one to turn off the SmartScreen Filter

HACK 82 Protect Yourself with a Windows 8
Picture Password

The weakest link in the security chain is often your password. Here’s how
to log in to Windows 8 using a picture instead.

The common image of a dangerous hacker is someone with an almost supernatural
ability to crack code. The reality is much more mundane. Many attacks are instead
launched by much simpler methods, such as guessing or stealing someone’s pass-
word. Many people use easy-to-guess passwords. Furthermore, because people need
so many passwords, they tend to reuse the same one or a variant of it over and over.

Windows 8 provides a very clever way around the password problem. It lets you use
something called a picture password, which really isn’t a password at all. Instead, it’s
a drawing that you make based on an existing picture that has to be replicated for
someone to log into your Windows 8 system.

CHAPTER 8: SECURITY 265

To use this feature, press Windows key+I to bring up the Settings screen, and then
select Change PC Settings→Users→“Create a Picture Password.” You’ll first have to
confirm your current password. Then you’ll be presented with a screen like the one in
Figure 8-15.

Figure 8-15.
The first step in creating a picture password

Once you do that, you’re sent to a screen that lets you choose a picture to use the
basis for your picture password. Choose the picture, and then draw right on the
touchscreen (or use your mouse on a non-touchscreen) using a combination of three
circles, taps, and straight lines. When you’ve finished setting it up, the next time you
log into Windows, you’ll see the picture that was the basis of your picture password.
Draw on it in the way you set up and you’ll log into Windows. Of course, when you’re
having trouble entering the picture password, or are located at a place where
password shoulder surfing might be an issue, you can switch to using your password
at the logon screen.

HACK 83 Create a Windows 8 Recovery Tool

Plenty of things can go wrong in Windows to make it impossible to boot.
Here’s how to create a tool that will help you recover from disaster.

It’s your worst nightmare: for some reason, Windows 8 won’t boot, and not only have
you lost access to the operating system, but to your files as well. One solution is to
use a recovery tool built right into Windows 8. This feature lets you build a recovery
drive with a USB flash drive, or CD-RW, or recordable DVD, and then boot using that
drive. Once you do that, you’ll be able to recover your data and possibly fix Windows
8 as well.

266 WINDOWS 8 HACKS

On the Start screen, type Recovery, click Settings, and choose “Create a Recovery
Drive.” On the first screen that appears, you’ll see an option for copying information
from your system’s recovery partition, if it has one (Figure 8-16). Doing so is a good
idea, because it may give you extra features during recovery. Click Next. (If your device
doesn’t have a recovery partition, unfortunately, this option will be grayed out.)

Figure 8-16.
The first step in creating a recovery drive

Note: In order to use a recovery drive, your Windows 8 device needs to be able to
boot from a CD or DVD, or from a USB drive. Check your system’s documentation
to make sure it can, and if it can, how to enable that feature.

On the next screen, you’ll be prompted to insert or use a USB flash drive (Figure 8-17)
or use a CD or DVD for recovery. (Previous versions of Windows couldn’t use a USB
flash drive for recovery.) Choose which you want to use and click Next, and then click
Create. (The recovery drive will start building, as shown in Figure 8-18.)

Warning: Everything already on the USB flash drive or disk will be deleted, so if you
have data you want to save, copy it off the drive or disk first.

CHAPTER 8: SECURITY 267

Figure 8-17.
Choosing a USB flash drive for your recovery medium

Figure 8-18.
Windows 8 at work, creating a recovery drive

After a few minutes, you’ll get a message that the recovery drive is ready. Make sure
to keep it in a safe place, and hope that you don’t have to resort to using it.

268 WINDOWS 8 HACKS

If your system won’t boot, plug in the drive and restart your device. You’ll boot from
the USB flash drive or disk instead of your device, where you’ll be able to choose from
a variety of options, depending on what your problem was, and what you want to do.
You can, for example, try using System Restore; try an automated repair; perform a
Refresh, which will reinstall Windows but keep your files and settings; or Reset, which
wipes your files and reinstalls Windows.

HACK 84 Hack Windows 8’s User Account Control

Windows 8’s User Account Control is there to protect you…and some-
times to annoy you. Here’s how to bend it to your will.

Windows 8’s User Account Control (UAC) is designed to protect you from yourself and
against malware. When you try to make any one of a variety of important system
changes to Windows 8, a UAC prompt appears, and you have to click the Continue
button or enter a password before you proceed.

There’s some method to this madness. UAC is designed to stop your system and its
files from being tampered with. If malware gets loose on your PC, UAC will help stop
it from doing damage because the malware won’t be able to click a Continue button
or type in a password. You’ll get some warning before you try to make a change that
will launch a UAC prompt. As you can see in Figure 8-19, a setting protected by UAC
has a shield next to it.

Figure 8-19.
Settings protected by UAC have shield icons next to them

Note: The kind of UAC prompt that appears—either one that asks you to continue
or one that asks you to type in your password—depends on whether you’re logged
in as a standard user or an administrator. If you’re logged in as an administrator,
you’ll only have to click Continue. If you’re logged in as a standard user, you’ll have
to type in an administrator’s password. If there are multiple administrators set up
on the computer, the prompt will include a list of all the administrators. You’ll have
to type the password underneath the right administrator account.

UAC and Elevating Privileges

Before you hack UAC, you need to understand its guiding principle—that of the least-
privileged user. Under it, an account is set up that has only the minimum amount of
privileges needed in order to run the computer for most tasks. A standard user, in
Windows 8, is this least-privileged user.

CHAPTER 8: SECURITY 269

But when a change needs to be made that can affect the overall operation or security
of the operating system, the standard user’s privileges aren’t enough. Someone with
greater privileges—usually called an administrator account—must make the change.
That’s why a standard user needs to type an admin password to make a change, and
why an administrator must confirm whenever she wants to make a system-related
change.

Hack UAC with the Control Panel

You’re not stuck with Windows 8’s default behavior when it comes to UAC; you can
change how UAC works in any of several ways. If you’re looking for the simplest way,
although without fine-grained control, your best bet is to do it through the Control
Panel. Launch the Control Panel by typing Control Panel at the Start screen, high-
lighting the Control Panel applet and pressing Enter. Then select “System and Secu-
rity” and click “Change User Account Control Settings” toward the top of the screen.
The screen shown in Figure 8-20 appears.

Figure 8-20.
Changing UAC settings through the Control Panel

You’ve got a choice of four settings here. The default settings vary depending on
whether you’re logged in as a normal user or an administrator. An administrator has
settings that cause the UAC prompt to appear less often. Regular users, by default,
have the “Always notify” setting, while administrators have the “Notify me only when

270 WINDOWS 8 HACKS