Wednesday, April 24, 2019

Windows 10 Version 1809 (October 2018 Update) Disk Cleanup - A detailed look at Disk Cleaning "Files to Delete" categories

Windows 10 Version 1809 (October 2018 Update) to Disk Cleanup has many new file deletion categories, such as Windows Defender files, see below.

How to Use

Disk Cleanup wizard detects outdated files that can be delete, so if the category appears you can select those files to be deleted. By category, I mean potential files to be deleted under the "Files to delete:" heading in the bordered box below. 

These potential files to be deleted 
will be enumerated each time you run Disk Cleanup, so the categories will change each time you run it and and be different on other computers.




Click "View Files" button to examine the files that are to be deleted in each category.

Click "Clean up system files" button to to analyze the selected drive and display what Windows system can be cleaned up. A progress bar is shown during this process. Wait for this to finish.




When done, Disk Cleanup shows the total amount of space that can be freed up. Then, in the 'Files to delete' section you see different types of files that can be deleted. 

This will include categories such as 
'Downloaded Program Files''Recycle Bin''System error' files, 'Temporary files' and others. For each category of items, you see how much space they occupy at the moment. 





Extra : Click 'Clean up system files' button (to save allot of gigs of space) - see below.

Detailed Explanation of all 'Files to Delete' Categories:


Category Description

Compress System Disk




WARNING : THIS COMPRESSES YOUR DISK, it does not clean intermediate compressed files. THIS SLOWS YOUR FILE SYSTEM DOWN. Consult with an admin before using or extensively research this option before using. Turning this off has caused issues before. It's a one way street generally.

Save storage space by allowing Windows to compress the  contents of your drive . You will be able to access your files as normal , and the compression will be automatic and transparent to you . Depending on how much into is on your drive, compression  may take a while. If you need to decompress the drive or any  Folders at a later date you can do so with Windows File Explorer.

@C:\Program Files\rempl\strgsnsaddons.dll,-1009

BranchCache
 
Files created by BranchCache service for caching data.
 

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2012 and Windows 8 operating systems, as well as in some editions of Windows Server 2008 R2 and Windows 7. To optimize WAN bandwidth when users access content on remote servers, BranchCache copies content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. 
File History Files  File History saves copies of your files so you can get them back if they're lost or damaged. It automatically backs up files in the background and lets you restore them from a simple, time-based interface.
DirectX Shader Cache Clean up files created by the graphics system which can speed up application load time and improve responsiveness. They will be re-generated as needed.
Downloads Warning: These are files in your personal Downloads folder.

It's important to understand that the "Downloads" option is unchecked by default and it's a helpful feature to those that use downloads folder for temporary files. On the other hand, if you use it as a place to store needed files, make sure the option is unchecked or you will lose the content stored in the folder.

Folder:C:\Users\{UserName}\Downloads
File List:*.*
@C:\WINDOWS\System32\DATACLEN.DLL, -1045
Hello Face RemoveWarning: Using this option seems to disable Windows Hello
https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-Recovery/Hello-Face-stopped-working-after-a-disk-cleanup/td-p/7028729


When you uninstall the optional Windows Hello Face component. Signing in to Windows using facial recognition might not work. You'll still be able to log in with your Windows Hello PIN or a username and password combination. To tum this back on in the  future, go to Settings, search for Add an optional feature, select  Add a feature, and then select Windows Hello Face.

@C:\Program Files\rempl\strgsnsaddons.dll,-1029
Language Pack Files Remove unused language resource files, including keyboards, speech inputs, etc.
Mixed Reality  Removes Mixed Reality viewer files.

@C:\Program Files\rempl\strgsnsaddons.dll,-1023
OneDrive File Remove 
Removes temporary Onedrive offline files in Onedrive folders marked as "online-only" to free up disk space.

Note: You can always explicitly set a folder as 'Always keep offline' (even if you haven't used those files in a long time) and it won't affect those folders.
@C:\Program Files\rempl\strgsnsaddons.dll,-1013
Downloaded Files  Duplicate of Downloads option
@C:\Program Files\rempl\strgsnsaddons.dll,-101
Delete all System Restore Points This will deleting all previous restore points. Restore points allow you to go back to a previous install state. It can be risky to remove all restore points. If you feel confident, and need the space. Then after option, create a restore point afterwards immediately.

Note: You can also save space by deleting all previous restore points except for the last one. To do that, run Disk Cleanup and after it scans your drive, select the More Options tab. 
Then under the System Restore and Shadow Copies section click Clean up and then the verification message
Language Pack Remove unused language resource files, including keyboards, speech inputs, etc.
Old ChkDsk Files Check Disk (chkdsk) is a command line that you use to recover files from your hard disk, generally caused by surface errors due to aging, bumping and smoke, that cause bad sectors (lost data) to appear. Chkdsk recovers what it can of these sectors in files which was written over the bad sector into files ending in .CHK.

You can open and read the contents using Notepad or even better Notepad++. Often the contents are not worth keeping but they can be. Chkdsk files are indicative that a drive is starting to fail. If new bad sectors continue to appear you should replace the drive or you risk losing all your files.


"FileList"="*.CHK"
"Folder"="?:\\FOUND.000|?:\\
FOUND.001|?:\\FOUND.002|?:\\FOUND.003|?:\\FOUND.004|?:\\FOUND.005| ?:\\FOUND.006|?:\\FOUND.007|?:\\FOUND.008|?:\\FOUND.009"
Delivery Optimization Files Delivery optimization files are files that were previously downloaded to your computer and can be deleted if currently unused by the Delivery Optimization service.

Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. And if you own more than one PC, it can reduce the amount of Internet bandwidth needed to keep all of your PCs up-to-date. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet.

@C:\WINDOWS\system32\domgmt.dll
Content Indexer Cleaner The Windows search indexer is constantly running in the background to make file searches as quick as possible.

"Folder"="?:\\Catalog.wci"
File List:*.* 
Temporary Setup Files These files should no longer be needed. They were originally created by a setup program that is no longer running.

Located in directory C:\\Windows\\msdownld.tmp|?:\\msdownld.tmp
"FileList"="*.tmp"

@C:\WINDOWS\system32\setupcln.dll, -1001
Download Program Files Downloaded Program Files are ActiveX controls and Java applets downloaded automatically from the Internet with you view certain pages. They are temporarily stored in the Downloaded Program Files folder on your hard disk.

@C:\Windows\System32\occache.dll,- 1071
Temporary Internet Files The Temporary Internet Files folder contains webpages stored on your hard disk for quick viewing. Your personalized settings for webpages will be left intact.
Offline Web Pages Offline pages are webpages that are stored on your computer so you can view them without being connected to the Internet. If you delete these pages now, you can still view your favorites offline later by synchronizing then. Your personalized settings for webpages will be left intact.
Debug Dump Files Files created by Windows.
Recycle Bin The Recycle Bin contains files you have deleted from your computer. 
Setup Log Files Files created by Windows.

"FileList"="setup*.log|setup*.
old|setuplog.txt|winnt32.log"
"Folder"="%WINDIR%"
System Error Memory Dump Files Remove system error memory dump files.
System Error Minidump Files Remove system error minidump files.
Temporary Files Programs sometimes stores temporary information in the TEMP folder. Before a program closes, it usually deleted this information. You can safely delete temporary files that have not been modified in over a week.

Folder:C:\Users\Markus\AppData \Local\Temp|C:\WINDOWS\Temp|C:\WINDOWS\Logs|C:\WINDOWS\System32\LogFiles
File List:*.*
Temporary Sync Files Remove Windows Media Sync files.
You can use Windows Media Player to copy music, videos, and pictures from your Player Library to a portable device, such as a compatible MP3 player. This process is called syncing. These are temp files in caches create in this process which are delete
 
Thumbnails Windows keeps a copy of all your picture, video, and document thumbnails so they can be displayed quickly when you open a folder. If you delete these thumbnails, they will be automatically recreated as needed.
User File Versions Windows stores file versions temporarily on this disk before copying them to the designated File History disk. If you delete these files, you will lose some file history.

File History is Windows 10’s main backup tool, originally introduced in Windows 8. Despite the name, File History isn’t just a way to restore previous versions of files–it’s a fully-featured backup tool, it's suppose to be a clone of Apple Time Machine.
Windows Error Report Files (4 types) Files used for Windows Error Reporting (WER). These are logs of errors (program crashes mostly) that were reported to Microsoft by the Windows Error Reporting service.

'
Clean up system files' button you see the following dialog box




This will include categories such as'Windows ESD Installation Files''Windows Defender'and others. 

Windows Update Cleanup only appears in the list when the Disk Cleanup wizard detects Windows updates that you don't need on your system.  This category will generally save you the greatest amount of space. All of these are okay to delete, that is the purpose of this wizard. 

Recommendation:  Carefully select categories to delete all the files, but review the categories below for further details, some have irreversible effects.

Detailed Explanation of 'Clean up system files' categories

Category Description
Windows ESD installation Files
(since Win 10)
You will need these files to Reset or Refresh your PC.
Windows ESD Files was introduced to upgrade to Windows 10, behind the scenes.
Windows ESD Files are files used for a upgrade to a new version of Windows. ESD stands for Electronic Software Delivery and delivers files in an encypted (.esd) format. This then contains a .wim file. A Windows IMage (.wim) file contains one or more compressed Windows images. Each Windows image in a .wim file contains a list of all of the components, settings, and packages available with that Windows image. Install.wim file in its turn contains everything needed for a complete Windows installation.

You can convert the Windows 10 .esd file to make your own ISO disk to upgrade any PC later!
Temporary Windows installation files Installation files used by Windows setup. These files are left over from the installation process and can be safely deleted.
Previous Windows installation(s) Files from a previous Windows installation. Files and folders that may conflict with the installation of Windows have been moved to folders named Windows.old. You can access data from the previous Windows installations in this folder.

@C:\WINDOWS\system32\setupcln.dll,-1002
Update package Backup Files Windows saves old versions of files that have been updated by an Update package. If you delete the files, you won't be able to uninstall the Update package later.
Windows Update Cleanup Windows keeps copies of all installed updates from Windows Update, even after installing newer versions of updates that are no longer needed and taking up space. (You might need to restart your computer.)

@C:\WINDOWS\system32\scavengeui.dll,-1002
Device driver packages Windows keeps copies of all previously installed device driver packages from Windows Update and other sources even after installing newer versions of drivers. This task will remove older versions of drivers that are no longer needed. The most current version of each driver package will be kept.

@C:\WINDOWS\system32\pnpclean.dll, -102
Windows Defender Antivirus Non critical files used by Windows Defender Antivirus
All files in these locations will be deleted
Folder:C:\ProgramData\Microsoft\Windows Defender\LocalCopy|C:\ProgramData\Microsoft\Windows Defender\Support
File List:*.*@C:\Program Files\WindowsDefender\MpAsDesc.dll,-380
Files Discarded by Windows Upgrade Files from a previous Windows installation. As a precaution, Windows upgrade keeps a copy of any files that were not moved to the new version of Windows and were not identified as Windows system files. If you are sure that no user's personal files are missing after the upgrade, you can delete these files.

@C:\WINDOWS\system32\setupcln.dll, -1005 Setup Directories:$WINDOWS.~Q;$INPLACE.~TR;$Windows.~LS
Windows Upgrade Log Files Windows upgrade log files contain information that can help identify and troubleshoot problems that occur during Windows installation, upgrade, or servicing. Deleting these files can make it difficult to troubleshoot installation issues.

@C:\WINDOWS\System32\DATACLEN.DLL,-1010Folder:C:\WINDOWS
File List:setup*.log|setup*.old|setuplog.txt|winnt32.log
Service Pack Backup Files Windows saves old versions of files that have been updated by a service pack. If you delete the files, you won't be able to uninstall the service pack later.

@C:\WINDOWS\system32\scavengeui.dll,-1000

When you click OK, Disk Cleanup will prompt you to confirm that you want to permanently delete the selected files. 

If you have never done, you'll be surprised at the Gigs of space freed up. 

Monday, April 15, 2019

Microsoft Security Configuration Framework - What to lock down on your computer guidance

Microsoft just came out with a new Microsoft Security Configuration Framework to help users lock down their computers. You can use this to lock down your computer at home.















  • Level 5 Enterprise Security – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days.
  • Level 4 Enterprise High Security – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
  • Level 3 Enterprise VIP Security – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
  • Level 2 DevOps Workstation – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon!
  • Level 1 Administrator Workstation – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption.

Along with Secure Score in Windows Defender Security Center, you can get a detail set of action items you need to reduce your attack surface in Windows, which is available in 
Windows Defender ATP in Windows Enterprise Edtns.



Wednesday, April 10, 2019

Phishing Email - Subject: RE: [ Reminder ][ Sign-in New Device ] The following changes to your Account, Update Activity Account Submitted Changed to Your Billing

For the record, this is an Apple phishing email attempt that is recently going around and made it through spam filters. What to do?  Report them, goto bottom of page.


From : "support@apple.com"
 
Subject
 :
Subject: RE: [ Reminder ][ Sign-in New Device ] The following changes to your Account, Update Activity Account Submitted Changed to Your Billing


Here's  a preview.

SPAM/ PHISHING LINKs;  

1. https://qoo10.sg/....

How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the apple.com site then forget it.

  3. The best way is to look at message source, see below.

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (downarrow to top right)->Report Phishing 

Report Phishing URLs at Google now 

If you have recievied this email take further action now by click these links

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Report phishing emails to Apple 

Forward the email to abuse@icloud.com. This provides Apple's legal department and law enforcement with useful information to help prevent future phishing emails.