BitLocker Drive Encryption CHAPTER 16
653
3. On the Choose How You Want To Unlock This Drive page, select one or more protec-
tion methods:
•
Use A Password To Unlock This Drive. Users will be prompted to type a password
before they can access the contents of the drive.
•
Use My Smart Card To Unlock The Drive. Users will be prompted to insert a smart
card before they can access the contents of the drive. You can use this option with
removable drives; however, you will not be able to access the drive using Windows
Vista or Windows XP because smart cards cannot be used with the BitLocker To Go
Reader.
•
Automatically Unlock This Drive On This Computer. Windows will automatically
unlock non-removable data drives without prompting the user. Selecting this option
requires that the system volume be protected by BitLocker. If you move the drive to
a different computer, you will be prompted for credentials.
4. On the How Do You Want To Store Your Recovery Key page, choose the method to
save the recovery key. Click Next.
5. On the Are You Ready To Encrypt This Drive page, click Start Encrypting.
How to Manage BitLocker Keys on a Local Computer
To manage keys on a local computer, follow these steps:
1. Open Control Panel and click System And Security. Under BitLocker Drive Encryption,
click Manage BitLocker.
2. In the BitLocker Drive Encryption window, click Manage BitLocker.
Using this tool, you can save the recovery key to a USB flash drive or a file, or you can print
the recovery key.
How to Manage BitLocker from the Command Line
To manage BitLocker from an elevated command prompt or from a remote computer, use the
Manage-bde.exe tool. The following example demonstrates how to view the status.

manage-bde -status
BitLocker Drive Encryption: Configuration Tool
Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

Size: 74.37 GB
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
654
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
TPM
Numerical Password
Run the following command to enable BitLocker on the C drive, store the recovery key on
the Y drive, and generate a random recovery password.
manage-bde -on C: -RecoveryKey Y: -RecoveryPassword
BitLocker Drive Encryption: Configuration Tool version 6.1.7100
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: []

[OS Volume]
Key Protectors Added:
Saved to directory Y:\

External Key:
ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC}
External Key File Name:
7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK

Numerical Password:
ID: {75A76E33-740E-41C4-BD41-48BDB08FE755}
Password:
460559-421212-096877-553201-389444-471801-362252-086284

TPM:
ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E}

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from
your computer:

460559-421212-096877-553201-389444-471801-362252-086284

To prevent data loss, save this password immediately. This password helps
ensure that you can unlock the encrypted volume.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
BitLocker Drive Encryption CHAPTER 16
655
2. Insert a USB flash drive with an external key file into the computer.


3. Restart the computer to run a hardware test.
(Type "shutdown /?" for command line instructions.)

4. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.
After you run the command, restart the computer with the recovery key connected to com-
plete the hardware test. After the computer restarts, BitLocker will begin encrypting the disk.
Run the following command to disable BitLocker on the C drive.
manage-bde -off C:
BitLocker Drive Encryption: Configuration Tool
Copyright (C) Microsoft Corporation. All rights reserved.

Decryption is now in progress.
You can also use the Manage-bde.exe script to specify a startup key and a recovery key,
which can allow a single key to be used on multiple computers. This is useful if a single
user has multiple computers, such as a user with both a Tablet PC computer and a desktop
computer. It can also be useful in lab environments, where several users might share several
different computers. Note, however, that a single compromised startup key or recovery key
will require all computers with the same key to be rekeyed.
For detailed information about using Manage-bde.exe, run manage-bde.exe -? from a
command prompt.
How to Recover Data Protected by BitLocker
When you use BitLocker, the encrypted volumes will be locked if the encryption key is not
available, causing BitLocker to enter recovery mode. Likely causes for the encryption key’s
unavailability include:
n
Modification of one of the boot files.
n

The BIOS is modified and the TPM is disabled.
n
The TPM is cleared.
n
An attempt is made to boot without the TPM, PIN, or USB key being available.
n
The BitLocker-encrypted disk is moved to a new computer.
After the drive is locked, you can boot only to recovery mode, as shown in Figure 16-19. In
recovery mode, you enter the recovery password using the function keys on your keyboard
(just as you do when entering the PIN), pressing F1 for the digit 1, F2 for the digit 2, and so
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
656
forth, with F10 being the digit 0. You must use function keys because localized keyboard
support is not yet available at this phase of startup.
FIGURE 16-19 Recovery mode prompts you for a 48-character recovery password.
If you have the recovery key on a USB flash drive, you can insert the recovery key and
press Esc to restart the computer. The recovery key will be read automatically during startup.
If you cancel recovery, the Windows Boot Manager will provide instructions for using
Startup Repair to fix a startup problem automatically. Do not follow these instructions be-
cause Startup Repair cannot access the encrypted volume. Instead, restart the computer and
enter the recovery key.
MoRe inFo Additionally, you can use the BitLocker Repair Tool, Repair-bde.exe, to help
recover data from an encrypted volume. If a BitLocker failure prevents Windows 7 from
starting, you can run repair-bde from the Windows Recovery Environment (Windows RE)
command prompt. For more information about repair-bde, run repair-bde /? at a command
prompt. For more information about troubleshooting startup problems, including using
repair-bde, refer to Chapter 29.
How to Disable or Remove BitLocker Drive Encryption
Because BitLocker intercepts the boot process and looks for changes to any of the early boot

files, it can cause problems in the following nonattack scenarios:
n
Upgrading or replacing the motherboard or TPM
n
Installing a new operating system that changes the MBR or the Boot Manager
n
Moving a BitLocker-encrypted disk to another TPM-enabled computer
n
Repartitioning the hard disk
n
Updating the BIOS
n
Installing a third-party update outside the operating system (such as hardware firmware
updates)
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
BitLocker Drive Encryption CHAPTER 16
657
To avoid entering BitLocker recovery mode, you can temporarily disable BitLocker, which
allows you to change the TPM and upgrade the operating system. When you re-enable
BitLocker, the same keys will be used. You can also choose to decrypt the BitLocker-protected
volume, which will completely remove BitLocker protection. You can only re-enable BitLocker
by repeating the process to create new keys and re-encrypt the volume. To disable or decrypt
BitLocker, follow these steps:
1. Log on to the computer as Administrator.
2. From Control Panel, open BitLocker Drive Encryption.
3. To temporarily disable BitLocker by using a clear key, click Suspend Protection and
then click Yes. To disable BitLocker permanently, click Turn Off BitLocker and then click
Decrypt Drive.
How to Decommission a BitLocker Drive Permanently
Compromises in confidentiality can occur when computers or hard disks are decommissioned.

For example, a computer that reaches the end of its usefulness at an organization might be
discarded, sold, or donated to charity. The person who receives the computer might extract
confidential files from the computer’s hard disk. Even if the disk has been formatted, data can
often be extracted.
BitLocker reduces the risks of decommissioning drives. For example, if you use a startup
key or startup PIN, the contents of the volume are inaccessible without this additional infor-
mation or the drive’s saved recovery information.
You can decommission a drive more securely by removing all key blobs from the disk. By
deleting the BitLocker keys from the volume, an attacker needs to crack the encryption—a
task that is extremely unlikely to be accomplished within anyone’s lifetime. As a cleanup task,
you should also discard all saved recovery information, such as recovery information saved to
AD DS.
To remove all key blobs on a secondary drive (data volume), you can format that drive
from Windows or the Windows RE. Note that this format operation will not work on a drive
that is currently in use. For example, you cannot use it to more securely decommission the
drive used to run Windows.
To remove all key blobs on a running drive, you can create a script that performs the fol-
lowing tasks:
1. Calls the Win32_EncryptableVolume.GetKeyProtectors method to retrieve all key protec-
tors (KeyProtectorType 0).
2. Creates a not-to-be-used recovery password blob (discarding the actual recovery
password) by using Win32_EncryptableVolume.ProtectKeyWithNumericalPassword
and a randomly generated password sequence. This is required because
Win32_EncryptableVolume.DeleteKeyProtector will not remove all key protectors.
3. Uses Win32_EncryptableVolume.DeleteKeyProtector to remove all of the usable key
protectors associated with the identifiers mentioned previously.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
658
4. Clears the TPM by calling the Win32_TPM.Clear method.

For more information about developing a script or application to perform secure decom-
missioning on a BitLocker-encrypted drive, refer to the Win32_EncryptableVolume WMI pro-
vider class documentation at and the
Win32_TPM WMI provider class documentation at
/aa376484.aspx.
How to Prepare AD DS for BitLocker
BitLocker is also integrated into AD DS. In fact, although you can use BitLocker without AD
DS, enterprises really shouldn’t—key recovery and data recovery agents are an extremely
important part of using BitLocker. AD DS is a reliable and efficient way to store recovery keys
so that you can restore encrypted data if a key is lost, and you must use Group Policy settings
to configure data recovery agents.
If your AD DS is at the Windows Server 2008 or later functional level, you do not need to
prepare the AD DS for BitLocker. If your AD DS is at a functional level of Windows Server 2003
or earlier, however, you will need to update the schema to support BitLocker. For detailed
instructions on how to configure AD DS to back up BitLocker and TPM recovery information,
read “Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted
Platform Module Recovery Information” at For
information about retrieving recovery passwords from AD DS, read “How to Use the BitLocker
Recovery Password Viewer For Active Directory Users And Computers Tool to View Recovery
Passwords for Windows Vista” at />How to Configure a Data Recovery Agent
Earlier versions of Windows supported storing BitLocker recovery keys in AD DS. This works
well, but each BitLocker-protected volume has a unique recovery key. In enterprises, this can
consume a large amount of space in AD DS. By using a data recovery agent instead of storing
recovery keys in AD DS, you can store a single certificate in AD DS and use it to recover any
BitLocker-protected volume.
To configure a data recovery agent, follow these steps:
1. Publish the future data recovery agent’s certificate to AD DS. Alternatively, export the
certificate to a .cer file and have it available.
2. Open a Group Policy object that targets the Windows 7 computers using the Group
Policy object Editor and then select Computer Configuration\Policies\Windows Settings

\Security Settings\Public Key Policies.
3. Right-click BitLocker Drive Encryption, click Add Data Recovery Agent to start the Add
Recovery Agent Wizard, and then click Next.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
BitLocker Drive Encryption CHAPTER 16
659
4. On the Select Recovery Agents page, click Browse Directory (if the certificate is stored in
AD DS) or Browse Folders (if you have saved the .cer file locally). Select a .cer file to use
as a data recovery agent. After the file is selected, it will be imported and will appear in
the Recovery Agents list in the wizard. You can specify multiple data recovery agents.
After you specify all of the data recovery agents that you want to use, click Next.
5. The Completing The Add Recovery Agent page of the wizard displays a list of the data
recovery agents that will be added to the Group Policy object. Click Finish to confirm
the data recovery agents and close the wizard.
The next time Group Policy is applied to the targeted Windows 7 computers, the data re-
covery agent certificate will be applied to the drive. At that point, you will be able to recover a
BitLocker-protected drive using the certificate configured as the data recovery agent. Because
of this, you must carefully protect the data recovery agent certificate.
How to Manage BitLocker with Group Policy
BitLocker has several Group Policy settings located in Computer Configuration\Policies
\Administrative Templates\Windows Components\BitLocker Drive Encryption that you can
use to manage the available features. Table 16-2 lists these policies, which are written to the
registry on targeted computers under the following registry key:
HKLM\Software\Policies\Microsoft\FVE
TABLE 16-2 Group Policy Settings for BitLocker Drive Encryption
POLICY DESCRIPTION
Store BitLocker Recovery
Information In Active
Directory Domain Services
(Windows Server 2008 And

Windows Vista)
Enabling this policy silently backs up BitLocker recovery in-
formation to AD DS. For computers running Windows 7 and
Windows Server 2008 R2, enable the Fixed Data Drives
\Choose How BitLocker-Protected Fixed Drives Can Be
Recovered, Operating System Drives\Choose How BitLocker-
Protected Operating System Drives Can Be Recovered, or
Removable Data Drives\Choose How BitLocker-Protected
Removable Drives Can Be Recovered policies.
Choose Default Folder For
Recovery Password
Enabling this policy and configuring a default path for it sets
the default folder to display when the user is saving recovery
information for BitLocker. The user will have the ability to
override the default.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
660
POLICY DESCRIPTION
Choose How Users Can
Recover BitLocker-Protected
Drives (Windows Server 2008
And Windows Vista)
Enabling this policy allows you to control which recovery
mechanisms the user can choose. Disabling the recovery
password will disable saving to a folder or printing the key
because these actions require the 48-digit recovery pass-
word. Disabling the 256-bit recovery key will disable saving
to a USB key. If you disable both options, you must enable
AD DS backup or a policy error will occur. For computers

running Windows 7 and Windows Server 2008 R2, enable
the Fixed Data Drives\Choose How BitLocker-Protected Fixed
Drives Can Be Recovered, Operating System Drives\Choose
How BitLocker-Protected Operating System Drives Can Be
Recovered, or Removable Data Drives\Choose How BitLocker-
Protected Removable Drives Can Be Recovered policies.
Choose Drive Encryption
Method And Cipher Strength
Enabling this policy allows configuration of the encryption
method used by BitLocker Drive Encryption. The default if
this key is not enabled is 128-bit AES with Diffuser. Other
choices that can be configured are 256-bit AES with Diffuser,
128-bit AES, and 256-bit AES.
Prevent Memory Overwrite
On Restart
Enabling this policy prevents Windows from overwriting
memory on restarts. This potentially exposes BitLocker
secrets but can improve restart performance.
Provide The Unique
Identifiers For Your
Organization
Enable this policy if you want to prevent users from mount-
ing BitLocker-protected drives that might be from outside
organizations.
Validate Smart Card Certifi-
cate Usage Rule Compliance
Enable this policy only if you want to restrict users to smart
cards that have an object identifier (OID) that you specify.
Operating System Drives
\Require Additional

Authentication At Startup or
Operating System Drives
\Require Additional Authen-
tication At Startup (Windows
Server 2008 And Windows
Vista)
Enabling this policy allows configuring additional startup
options and allows enabling of BitLocker on a non–TPM-
compatible computer. On TPM-compatible computers, a
secondary authentication can be required at startup—either
a USB key or a startup PIN, but not both.
Allow Enhanced PINs For
Startup
Enhanced PINs permit the use of characters including upper-
case and lowercase letters, symbols, numbers, and spaces.
By default, enhanced PINs are disabled.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
BitLocker Drive Encryption CHAPTER 16
661
POLICY DESCRIPTION
Operating System Drives
\Configure Minimum PIN
Length For Startup
Enables you to require a minimum PIN length.
Operating System Drives
\Choose How BitLocker-
Protected Operating System
Drives Can Be Recovered
Enabling this policy allows you to control which recovery
mechanisms the user can choose and whether recovery

information is stored in the AD DS. Disabling the recovery
password will disable saving to a folder or printing the key
because these actions require the 48-digit recovery pass-
word. Disabling the 256-bit recovery key will disable saving
to a USB key.
Operating System Drives
\Configure TPM Platform
Validation Profile
Enabling this policy allows detailed configuration of the PCR
indices. Each index aligns with Windows features that run
during startup.
Fixed Data Drives\Configure
Use Of Smart Cards On Fixed
Data Drives
Enables or requires smart cards for BitLocker to protect
non–operating system volumes.
Fixed Data Drives\Deny
Writer Access To Fixed Drives
Not Protected By BitLocker
Requires drives to be BitLocker-protected before users can
save files.
Fixed Data Drives\Allow Ac-
cess To BitLocker-Protected
Fixed Data Drives From
Earlier Versions Of Windows
Allows you to prevent the BitLocker To Go Reader from
being copied to fixed data drives, preventing users of earlier
versions of Windows (including Windows Server 2008,
Windows Vista, and Windows XP SP2 or SP3) from entering
a password to access the drive.

Fixed Data Drives\Configure
Use Of Passwords For Fixed
Drives
Requires passwords to access BitLocker-protected fixed
drives and configures password complexity.
Fixed Data Drives\Choose
How BitLocker-Protected
Fixed Drives Can Be
Recovered
Enabling this policy allows you to control which recovery
mechanisms the user can choose and whether recovery
information is stored in the AD DS. Disabling the recovery
password will disable saving to a folder or printing the key
because these actions require the 48-digit recovery pass-
word. Disabling the 256-bit recovery key will disable saving
to a USB key.
For information about BitLocker To Go policies (which are configured in the Removable
Data Drives node), refer to the section titled “BitLocker To Go” earlier in this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
662
The Costs of BitLocker
Most security features require a tradeoff. The benefit to any security feature is that it reduces
risk and thus reduces the cost associated with a security compromise. Most security features
also have a cost—purchase price, increased maintenance, or decreased user productivity.
The benefit of using BitLocker is reduced risk of loss of data confidentiality in the event of
a stolen hard disk. Like most security features, BitLocker has costs (aside from any software or
hardware costs):
n
If a PIN or external key is required, the startup experience is not transparent to the

user. If the user loses his PIN or startup key, he will need to wait for a Support Center
representative to read him the password so that he can start his computer.
n
In the event of hard disk failure or data corruption, recovering data from the disk can
be more difficult.
MoRe inFo You should implement BitLocker in your organization only if the reduced
security risks outweigh these costs. For more information about cost/benefit analysis, read
the Security Risk Management Guide at
/cc163143.aspx.
Encrypting File System
BitLocker is not a replacement for the EFS introduced in Windows 2000, but it is a supplement
to the EFS that ensures that the operating system itself is protected from attack. Best prac-
tices for protecting sensitive computers and data will combine the two features to provide a
high level of assurance of the data integrity on the system.
EFS continues to be an important data-integrity tool in Windows 7. EFS allows the encryp-
tion of entire volumes or individual folders and files and can support multiple users using
the same computer, each with protected data. Additionally, EFS allows multiple users to have
secure access to sensitive data while protecting the data against unauthorized viewing or
modification. EFS cannot be used to encrypt system files, however, and it should be combined
with BitLocker to encrypt the system drive where sensitive data must be protected. EFS is
susceptible to offline attack using the SYSKEY, but when you combine EFS with BitLocker to
encrypt the system volume, this attack vector is protected.
EFS uses symmetric key encryption along with public key technology to protect files and
folders. Each user of EFS is issued a digital certificate with a public and private key pair. EFS uses
the keys to encrypt and decrypt the files transparently for the logged-on user. Authorized users
work with encrypted files and folders just as they do with unencrypted files and folders. Un-
authorized users receive an Access Denied message in response to any attempt to open, copy,
move, or rename the encrypted file or folder.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Encrypting File System CHAPTER 16

663
Files are encrypted with a single symmetrical key, and then the symmetrical key is encrypt-
ed twice: once with the user’s EFS public key to allow transparent decryption and once with
the recovery agent’s key to allow data recovery.
The sections that follow describe how to manage EFS keys. For general information
about EFS, read “Encrypting File System in Windows XP and Windows Server 2003” at
/>How to Export Personal Certificates
To prevent being unable to access an encrypted file, you can export your personal certificate.
When you export your certificate, you can then copy or move the encrypted file to another
computer and still access it by importing the certificate you exported.
To export your personal certificate, follow these steps:
1. Open Windows Explorer and select a file that you have encrypted.
2. Right-click the file and then select Properties.
3. Click Advanced on the General tab.
4. Click Details on the Advanced Attributes tab to open the User Access dialog box.
5. Select your user name and then click Back Up Keys to open the Certificate Export Wizard.
6. Click Next to select the file format to use.
7. Click Next and enter a password to protect the key. Repeat the entry and then click
Next.
8. Enter a path and filename to save the file to, or browse for a path. Click Next.
9. Click Finish to export the certificate and then click OK to confirm that it was saved
successfully.
How to Import Personal Certificates
You can share encrypted files with other users if you have the certificate for the other user. To
allow another user to use a file that you have encrypted, you need to import her certificate
onto your computer and add her user name to the list of users who are permitted access to
the file.
To import a user certificate, follow these steps:
1. Click Start, type mmc, and then press Enter to open a blank Microsoft Management
Console (MMC).

2. Click File and then click Add/Remove Snap-in.
3. Select Certificates and click Add. Select My User Account and click Finish. Click OK to
close the Add Or Remove Snap-in dialog box.
4. Click Certificates and then double-click Trusted People.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
664
5. Under Trusted People, right-click Certificates. On the All Tasks menu, click Import to
open the Certificate Import Wizard.
6. Click Next and then browse to the location of the certificate you want to import.
7. Select the certificate and then click Next.
8. Type the password for the certificate and then click Next.
9. Click Next to place the certificate in the Trusted People store.
10. Click Finish to complete the import.
11. Click OK to acknowledge the successful import and then exit the MMC.
How to Grant Users Access to an Encrypted File
When you have a user’s certificate, you can add that user to the list of users who have access
to a file. A user’s certificate will be on a computer automatically if the user has logged on to
the computer previously.
To add a user whose certificate you have imported to the users who can access a file, fol-
low these steps:
1. Open Windows Explorer and highlight the file you want to receive access.
2. Right-click the file and then select Properties.
3. Click Advanced on the General tab.
4. Click Details on the Advanced Attributes tab to open the User Access dialog box.
5. Click Add to open the Encrypting File System dialog box and then select the user you
want to permit to use the encrypted file.
6. Click OK to add the user to the list of users who have access to the file.
7. Click OK until you’ve exited out of the dialog boxes.
You do not need to grant EFS access to allow users to access files across the network—EFS

does not affect shared folders.
Symbolic Links
Windows Vista and Windows 7 include symbolic links. Symbolic links act like shortcuts, but
they provide a transparent link to the target file at the file-system level rather than within
Windows Explorer. Therefore, although a user can double-click a shortcut from Windows
Explorer to open the original file, a symbolic link will actually trick applications into thinking
they are directly accessing the target file.
As an administrator, you might need to use symbolic links for backward compatibility.
For example, if an application expects to find a file in the root of the C drive but you need to
move the file to a different location on the local disk, you can create a symbolic link in the
root of the C drive to the file’s new location, allowing the application to continue to access the
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Symbolic Links CHAPTER 16
665
file in the root of the C drive. Windows Vista and Windows 7 use symbolic links for backward
compatibility with user profiles in earlier versions of Windows. For more information, read
Chapter 15, “Managing Users and User Data.”
HoW it WoRKS
Symbolic Links, Hard Links, Junction Points, and Shortcuts
W
indows Vista and Windows 7 support four different types of links, each pro-
viding a slightly different function:
n
Shortcuts Shortcuts are files with a .lnk extension. If you double-click
them within the Windows Explorer shell, Windows will open the target file.
However, the file system treats .lnk files just like any other files. For example,
opening a .lnk file from a command prompt does not open the target file.
n
Hard links Hard links create a new directory entry for an existing file, so a
single file can appear in multiple folders (or in a single folder using multiple

filenames). Hard links must all be on a single volume.
n
Junction points Also known as soft links, junction points reference a folder
using an absolute path. Windows automatically redirects requests for a junc-
tion point to the target folder. Junction points do not have to be on the same
volume.
n
Symbolic links A pointer to a file or folder. Like junction points, symbolic
links are almost always transparent to users. (Occasionally, a program might
use an outdated application programming interface [API] that does not respect
a symbolic link.) Symbolic links use relative paths rather than absolute paths.
How to Create Symbolic Links
By default, only administrators can create symbolic links. However, you can grant other users
access using the Computer Configuration\Windows Settings\Security Settings\Local Policies
\User Rights Assignment\Create Symbolic Links setting.
To create a symbolic link, open a command prompt with administrative privileges and
use the mklink command. For example, the following command creates a symbolic link from
C:\Myapp.exe to Notepad in the system directory.
C:\>mklink myapp.exe %windir%\system32\notepad.exe
Symbolic link created for myapp.exe <<===>> C:\Windows\system32\notepad.exe
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
666
note Developers can call the CreateSymbolicLink function to create symbolic links. For
more information, go to />After you create this symbolic link, the Myapp.exe link behaves exactly like a copy of the
Notepad.exe file. Windows Explorer displays symbolic links using the standard shortcut
symbol. However, shortcuts always have a .lnk extension, whereas symbolic links can have
any extension. At a command prompt, the dir command uses the <SYMLINK> identifier to
distinguish symbolic links and displays the path to the target file.
C:\>dir

Volume in drive C has no label.
Volume Serial Number is BC33-D7AC

Directory of C:\

09/18/2006 04:43 PM 24 AUTOEXEC.BAT
09/18/2006 04:43 PM 10 config.sys
12/27/2006 12:16 PM <SYMLINK> myapp.exe [C:\Windows\system32\notepad.exe]
12/23/2006 04:47 PM <DIR> Program Files
11/29/2006 03:31 PM <DIR> Users
12/27/2006 08:39 AM <DIR> Windows
Because a symbolic link is only a link, any changes made to the link actually affect the
target file and vice versa. If you create a symbolic link and then delete the target file, the sym-
bolic link will remain, but any attempts to access it will return a File Not Found error because
Windows will attempt to access the link target automatically. If you delete a target file and
later replace it with a file of the same name, that new file will become the link target. Deleting
a link does not affect the link target. Attribute changes to the symbolic link, such as marking a
file as hidden or as a system file, are applied to both the symbolic link and the target file.
How to Create Relative or Absolute Symbolic Links
Relative symbolic links identify the location of the target based on their own folder. For ex-
ample, a relative symbolic link to a target file in the same folder will always attempt to access
a target with the specified filename in the same folder, even if the symbolic link is moved. You
can create relative or absolute symbolic links, but all symbolic links are relative by default. For
example, consider the following commands, which attempt to create a symbolic link named
Link.txt to a file named Target.txt and then attempt to access the symbolic link before and
after moving the target file.
C:\>mklink link.txt target.txt
C:\>type link.txt
Hello, world.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Symbolic Links CHAPTER 16
667
C:\>REM Move link.txt to a different folder
C:\>move link.txt C:\links
1 file(s) moved.
C:\>cd links
C:\links>type link.txt
The system cannot find the file specified.
C:\links>move \target.txt C:\links
C:\links>type link.txt
Hello, world.
In the previous example, moving the symbolic link to a different folder causes Windows
to be unable to locate the target because the symbolic link is a relative link pointing to a file
named Target.txt in the same folder. When both the link and the target are moved to the
same folder, the symbolic link works again.
Now consider the same example using an absolute symbolic link, created by specifying the
full path to the target file:
C:\>mklink link.txt C:\target.txt
C:\>type link.txt
Hello, world.
C:\>REM Move link.txt to a different folder
C:\>move link.txt C:\links
1 file(s) moved.
C:\>cd links
C:\links>type link.txt
Hello, world.
C:\links>move C:\target.txt C:\links\
C:\links>type link.txt
The system cannot find the file specified.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

CHAPTER 16 Managing Disks and File Systems
668
In the last example, specifying the full path to the target file creates an absolute symbolic
link that references the full path to the target file. Therefore, the symbolic link still works after
it is moved to a different folder. However, moving the target file makes it inaccessible.
How to Create Symbolic Links to Shared Folders
You can create symbolic links on the local file system to files stored on other local drives or
shared folders. However, when you use the mklink command, you must always specify the
absolute path to the remote target file because the mklink command by default assumes
that the location is relative. For example, suppose you want to create a symbolic link named
C:\Link.txt that targets a file on a shared folder at Z:\Target.txt. If you run the following com-
mands, you will successfully create a symbolic link at C:\Link.txt.
C:\>Z:
Z:\>mklink C:\link.txt target.txt
However, that file will link to C:\Target.txt and not the intended Z:\Target.txt. To create a
link to the Z:\Target.txt file, you need to run the following command.
C:\>mklink C:\link.txt Z:\target.txt
The mklink command also allows you to create a symbolic link targeting a Universal Nam-
ing Convention (UNC) path. For example, if you run the following command, Windows will
create a symbolic link file called Link.txt that opens the Target.txt file.
Mklink link.txt \\server\folder\target.txt
If you enable remote symbolic links (discussed later in this section), they can be used to
store symbolic links on shared folders and automatically redirect multiple Windows network
clients to a different file on the network.
By default, you can use symbolic links only on local volumes. If you attempt to access a
symbolic link located on a shared folder (regardless of the location of the target) or copy a
symbolic link to a shared folder, you will receive an error. You can change this behavior by
configuring the following Group Policy setting:
Computer Configuration\Administrative Templates\System\NTFS File System\Selectively
Allow The Evaluation Of A SymbolicLink

When you enable this policy setting, you can select from four settings:
n
Local Link To Local Target Enabled by default, this allows local symbolic links to
targets on the local file system.
n
Local Link To Remote Target Enabled by default, this allows local symbolic links to
targets on shared folders.
n
Remote Link To Remote Target Disabled by default, this allows remote symbolic
links to remote targets on shared folders.
n
Remote Link To Local Target Disabled by default, this allows remote symbolic links
to remote targets on shared folders.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Symbolic Links CHAPTER 16
669
Enabling remote links can introduce security vulnerabilities. For example, a malicious user can
create a symbolic link on a shared folder that references an absolute path on the local computer.
When a user attempts to access the symbolic link, he will actually be accessing a different file
that might contain confidential information. In this way, a sophisticated attacker might be able
to trick a user into compromising the confidentiality of a file on his local computer.
How to Use Hard Links
Hard links create a second directory entry for a single file, whereas symbolic links create a
new file that references an existing file. This subtle difference yields significantly different
behavior.
You can create hard links by adding the /H parameter to the mklink command. For
example, the following command creates a hard link from Link.txt to Target.txt.
C:\>mklink /H link.txt target.txt
Hardlink created for link.txt <<===>> target.txt
As with symbolic links, any changes made to the hard link are made automatically to the

target (including attribute changes) and vice versa because the file itself is stored only once
on the volume. However, hard links have several key differences:
n
Hard links must refer to files on the same volume, while symbolic links can refer to files
or folders on different volumes or shared folders.
n
Hard links can refer only to files, while symbolic links can refer to either files or folders.
n
Windows maintains hard links, so the link and the target remain accessible even if you
move one of them to a different folder.
n
Hard links survive deleting the target file. A target file is deleted only if the target file
and all hard links are deleted.
n
If you delete a symbolic link target and then create a new file with the same name as
the target, the symbolic link will open the new target. Hard links will continue to refer-
ence the original target file, even if you replace the target.
n
Hard links do not show up as symbolic links in dir command-line output, and Windows
Explorer does not show a shortcut symbol for them. Hard links are indistinguishable
from the original file.
n
Changes made to file permissions on a hard link apply to the target file and vice versa.
With symbolic links, you can configure separate permissions on the symbolic link, but
the permissions are ignored.
Windows XP supports hard links by using the fsutil hardlink command. Windows Vista and
Windows 7 hard links are compatible with Windows XP hard links, and the fsutil hardlink com-
mand continues to function in Windows Vista and Windows 7.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems

670
Disk Quotas
Administrators can configure disk quotas to control how much of a volume a single user can
fill with files. This is most useful when implemented on a server that hosts shared folders.
However, you might also need to implement disk quotas on client computers in environments
in which multiple users access a single computer because they can help prevent a single user
from completely filling a volume and thereby preventing other users from saving files. Disk
quotas have not changed significantly since Windows XP.
Before enabling disk quotas, consider whether they are worthwhile. Managing disk quotas
requires administrators to monitor disk quota events, such as a user exceeding a disk storage
threshold. Administrators must then work with users to either increase the quota or identify
files that can be removed. Often, it is less expensive to simply add more disk storage, even if
the users do not closely manage their disk usage.
How to Configure Disk Quotas on a Single Computer
To configure disk quotas on a single computer, follow these steps:
1. Click Start and then click Computer.
2. In the right pane, right-click the drive on which you want to configure the quotas and
then click Properties.
3. Click the Quota tab and then click Show Quota Settings. The Quota Settings dialog box
appears.
4. Select the Enable Quota Management check box, as shown in Figure 16-20.
FIGURE 16-20 Disk quotas control how much of a disk users can fill.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Disk Quotas CHAPTER 16
671
From this dialog box, you can configure the following disk quota options:
n
Enable Quota Management Quota management is disabled by default. Select this
check box to enable quota management.
n

Deny Disk Space To Users Exceeding Quota Limit By default, users are warned
only if they exceed their quota limits. Selecting this check box causes Windows to
block disk access after the quota is exceeded. Typically, warning users is sufficient,
provided that you also log the events and follow up with users who do not clean up
their disk space. Denying disk access will cause applications to fail when they attempt
to write more data to the disk and can cause users to lose unsaved work.
note To determine quota limitations for users, developers can call the
ManagementObjectSearcher.Get WMI method to retrieve a ManagementObjectCollection
object and then access the collection’s QuotaVolume item.
n
Do Not Limit Disk Usage Does not configure disk quotas for new users by default.
You can still use the Quota Entries window to configure disk quotas for users.
n
Limit Disk Space To and Set Warning Level To Creates a disk quota by default for
new users. The value in the Set Warning Level To box should be lower than that in the
Limit Disk Space To box so that the user receives a warning before running out of avail-
able disk space.
n
Log Event When A User Exceeds Their Quota Limit and Log Event When A User
Exceeds Their Warning Level Configures Windows to add an event when the user
exceeds her quota. You should typically select this check box and then monitor the
events so that IT support can communicate directly with the user to keep the user
within her quotas (or increase the quotas as needed).
Additionally, you can click Quota Entries to configure quota settings for existing users and
groups.
How to Configure Disk Quotas from a Command Prompt
To view and manage disk quotas from scripts or from the command line, use the Fsutil admin-
istrative command-line utility. Useful Fsutil commands include:
n
fsutil quota query C: Displays quota information about the C volume, as the follow-

ing example shows.
C:\>fsutil quota query C:
FileSystemControlFlags = 0x00000301
Quotas are tracked on this volume
Logging for quota events is not enabled
The quota values are incomplete
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
672

Default Quota Threshold = 0xffffffffffffffff
Default Quota Limit = 0xffffffffffffffff

SID Name = BUILTIN\Administrators (Alias)
Change time = Tuesday, April 11, 2006 7:54:59 AM
Quota Used = 0
Quota Threshold = 18446744073709551615
Quota Limit = 18446744073709551615
n
fsutil quota track C: Enables disk quotas on the C volume.
n
fsutil quota disable C: Disables disk quotas on the C volume.
n
fsutil quota enforce C: Enables disk quota enforcement on the C volume, which
causes Windows to deny disk access if a quota is exceeded.
n
fsutil quota modify C: 3000000000 5000000000 Contoso\User Creates a disk
quota entry for the user Contoso\User. The first number (3,000,000,000 in the pre-
ceding example) enables a warning threshold at about 3 GB, and the second number
(5,000,000,000 in the preceding example) enables an absolute limit of about 5 GB.

For complete usage information, run fsutil /? from a command prompt.
How to Configure Disk Quotas by Using Group Policy
Settings
To configure disk quotas in an enterprise, use the AD DS Group Policy settings located at
Computer Configuration\Administrative Templates\System\Disk Quotas. The following set-
tings are available:
n
Enable Disk Quotas
n
Enforce Disk Quota Limit
n
Default Quota Limit And Warning Level
n
Log Event When Quota Limit Exceeded
n
Log Event When Quota Warning Level Exceeded
n
Apply Policy To Removable Media
Each of these settings relates directly to a local computer setting described earlier except
for Apply Policy To Removable Media. If you enable this setting, quotas also apply to NTFS-
formatted removable media. Quotas never apply to fixed or removable media unless they are
formatted with NTFS.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Disk Tools CHAPTER 16
673
Disk Tools
Microsoft provides several free tools that are very useful for managing disks and file systems,
as the sections that follow describe. For information about tools used for troubleshooting disk
problems, refer to Chapter 30.
Disk Usage

Perhaps the biggest challenge of managing file systems is managing disk usage. Quotas can
help, but often you will still need to manually identify folders and files that are consuming
large amounts of disk space.
The free Disk Usage (Du) tool, available for download from
/en-us/sysinternals/bb896651.aspx, can identify the mount of disk space a folder and its sub-
folders consume. Run Du.exe with the folder you want to analyze, as in the following example.
Du C:\users\
Du v1.33 - report directory disk usage
Copyright (C) 2005-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

Files: 96459
Directories: 19696
Size: 51,641,352,816 bytes
Size on disk: 47,647,077,498 bytes
EFSDump
Users can share EFS-encrypted files by adding other user certificates to a file. However, audit-
ing the users who have rights to files would be very time-consuming using the Windows
Explorer graphical interface. To list users who have access to encrypted files more easily, use
EFSDump, available for download from
/bb896735.aspx.
For example, to list the users who have access to files in the encrypted subfolder, run the
following command.
Efsdump -s encrypted
EFS Information Dumper v1.02
Copyright (C) 1999 Mark Russinovich
Systems Internals -

C:\Users\User1\Documents\Encrypted\MyFile.txt:
DDF Entry:

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
674
COMPUTER\User1:
User1(User1@COMPUTER)
DDF Entry:
COMPUTER\User2:
User2(User2@COMPUTER)
DRF Entry:
SDelete
When you delete a file, Windows removes the index for the file and prevents the operating
system from accessing the file’s contents. However, an attacker with direct access to the disk
can still recover the file’s contents until it has been overwritten by another file—which might
never happen. Similarly, files that have been EFS-encrypted leave behind the unencrypted
contents of the file on the disk.
With the SDelete tool, available for download from
/sysinternals/bb897443.aspx, you can overwrite the contents of free space on your disk to
prevent deleted or encrypted files from being recovered.
To use SDelete to overwrite deleted files on the C drive, run the following command.
Sdelete -z C:
SDelete - Secure Delete v1.51
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

SDelete is set for 1 pass.
Free space cleaned on C:
Streams
NTFS files can contain multiple streams of data. Each stream resembles a separate file but
is listed within a single filename. Streams are accessed using the syntax file:stream, and by
default, the main stream is unnamed (and hence is accessed when you simply specify the

filename).
For example, you can use the echo command to create a file or a specific stream. To create
a stream named Data for the file named Text.txt, run the following command.
Echo Hello, world > text.txt:data
Directory listings will show that the Text.txt file is zero bytes long, and opening the file in a
text editor will show nothing. However, it does contain data in the Data stream, which you can
demonstrate by running the following command.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Disk Tools CHAPTER 16
675
More < text.txt:data
Hello, world
Legitimate programs often use streams. However, malicious software also uses streams to
hide data. You can use the Streams program, available at
/sysinternals/bb897440.aspx, to list streams. For example, to list all files with streams within
the Windows directory, run the following command.
Streams -s %windir%
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\Thumbs.db:
:encryptable:$DATA 0
C:\Windows\PLA\System\LAN Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 2524
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\PLA\System\System Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 5384
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\PLA\System\System Performance.xml:

:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 500
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\PLA\System\Wireless Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 3240
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\ShellNew\Thumbs.db:
:encryptable:$DATA 0
C:\Windows\System32\Thumbs.db:
:encryptable:$DATA 0
As you can see from this output, several files in subdirectories within the C:\Windows\
directory have a stream named $DATA.
Sync
In some cases, Windows might cache data before writing it to the disk. When a computer
is shut down normally, all cached data is written to the disk. If you plan to shut down a
computer forcibly (by initiating a Stop error or disconnecting the power), you can run the
Sync command to flush all file system data to the disk. Sync is also useful to ensure that all
data is written to removable disks.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 16 Managing Disks and File Systems
676
You can download Sync from
The simplest way to use Sync is to run it with no parameters and with administrative privileges,
which flushes data for all disks.
sync
Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

Flushing: C E F
To flush data for the F drive removable disk and then eject it, run the following command.

Sync –r –e F:
Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

Flushing: F
MoveFile and PendMoves
Files can’t be moved when they’re in use by the operating system or an application. If a file
is constantly in use, you can schedule Windows to move the file during startup using the
MoveFile tool, available for download from
/bb897556.aspx.
Use MoveFile exactly as you would use the move command as in the following example.
Movefile file.txt test\file.txt
Movefile v1.0 - copies over an in-use file at boot time
Move successfully scheduled.
The file will not be moved immediately. However, the next time the computer is restarted,
Windows will move the file. If you want to delete a file that is constantly in use (a common
requirement for removing malicious software), provide "" as the destination as in the follow-
ing example.
Movefile file2.txt ""
Movefile v1.0 - copies over an in-use file at boot time
Move successfully scheduled.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Summary CHAPTER 16
677
The same download that includes MoveFile includes the PendMoves tool, which displays
moves and deletions that have been scheduled. You can simply run the command without
parameters, as the following example demonstrates.
pendmoves
PendMove v1.1

Copyright (C) 2004 Mark Russinovich
Sysinternals - wwww.sysinternals.com

Source: C:\Users\User1\Documents\file.txt
Target: C:\Users\User1\Documents\dest\file.txt

Source: C:\Users\User1\Documents\file2.txt
Target: DELETE

Time of last update to pending moves key: 2/27/2008 10:08 AM
Summary
Windows 7 uses local storage, which is typically based on hard disks, to store critical operat-
ing system files. Users rely on the same storage for confidential files. Because the integrity of
the operating system and the security of your organization depend on the disks and file sys-
tems stored within each Windows computer, you must carefully consider your client-storage
management requirements.
Fortunately, Windows 7 provides simple disk and volume management using either
graphical or command-line tools. Windows Vista and Windows 7 improve on Windows XP by
allowing partitions to be dynamically resized and thereby allowing administrators to reconfig-
ure partitions without reformatting a disk or using third-party tools.
Windows 7 provides several features for managing disks and file systems. To provide
data recovery in the event of a failed hard disk, corrupted files, or accidentally deleted data,
Windows 7 provides both manual and scheduled backups. If backups are available online,
users can use Previous Versions to recover a file without contacting the Support Center.
System Image backup and restore enables you to replace a hard disk and get a computer
up and running within minutes without needing to reinstall user applications.
To improve random access disk performance, ReadyBoost can use removable flash stor-
age to cache disk contents. ReadyBoost will prompt the user automatically when compatible
media is attached unless an administrator has disabled the feature. ReadyBoost offers the
biggest performance gains on computers with slow disk access.

As with earlier versions of Windows, Windows 7 supports EFS to encrypt user files. To en-
crypt the system volume, including the hibernation and paging file, Windows 7 also supports
BitLocker Drive Encryption. BitLocker requires a decryption key before Windows can start. The
key can be provided by a hardware TPM chip, a USB key, a combination of the two, or a com-
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.