Building a Robust OS Image

ACTINEON, INC.
Building a Robust OS
Image
1.00
Davidson Hom
3/28/2013
This document contains recommendations to create a robust system for the Windows environment.
Date
03/28/13
Revision
1.00
Author
DH
Change
Initial creation
Contents
1
Overview ......................................................................................................................................... 1
2
Recommendations ........................................................................................................................... 1
2.1
Identify Abnormal Termination Sources ................................................................................... 1
2.1.1
BSOD Stop Code ............................................................................................................... 1
2.1.2
Event log .......................................................................................................................... 1
2.2
Memory dump ......................................................................................................................... 2
2.3
Implement EWF/FBWF/UWF .................................................................................................... 3
2.4
Harden Application code .......................................................................................................... 3
2.5
Disable Disk caching ................................................................................................................. 3
2.5.1
Superfetch/Prefetch ......................................................................................................... 3
2.5.2
Write caching ................................................................................................................... 6
[i]
1 Overview
Windows is susceptible to corruption from many sources, but there are many practices available to
enhance the system robustness from crashes and abnormal termination. We have found the
recommendations below to significantly harden the system from corruption.
2 Recommendations
2.1 Identify Abnormal Termination Sources
Preventing the cause of abnormal termination is vital to a robust system. Whether it is a user
unplugging the system causing sudden power loss or a faulty application raising a BSOD, it is critical to
identify and remove the source of abnormal termination.
2.1.1 BSOD Stop Code
When Windows crashes, the notorious Blue Screen of Death (BSOD) displays a Stop Code in the form of
an eight digit hexadecimal number. Looking up the number will provide valuable information on why
Windows crashed.
2.1.2 Event log
The Windows System Event Log can provide additional details to any previous system faults that
occurred.
[1]
2.2 Memory dump
Enable debugging information for Windows crashes to aid in root cause efforts. It is critical in
identifying faulty hardware/software in the system. Go to Control Panel->System and Security->System>Advanced system settings->Startup and Recovery settings. Under Write debugging information, select
either small memory dump (256KB) or Kernel memory dump.
[2]
2.3 Implement EWF/FBWF/UWF
Enhanced Write Filter, File Based Write Filter and Unified Write Filter (Windows 8) are Windows
technologies designed to prevent system and file corruption by creating a write overlay that redirects
disk writes to RAM. Nothing is ever physically written to the disk while the Write Filters are enabled.
Exceptions can be set up, or writes can be committed to disk if permanent changes are required.
2.4 Harden Application code
Hardening user application code by closing file handles and after registry accesses immediately will
reduce the chance of data loss and corruption.
2.5 Disable Disk caching
Disabling the disk write caching and Superfetch/Prefetch will greatly enhance the system’s resistance to
corruption due to abnormal termination. Disabling disk write caching will require verifying acceptable
application performance because of the reduced disk performance.
2.5.1 Superfetch/Prefetch
Run regedt32.exe and browse to:
[3]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management\PrefetchParameters
Make the following registry value changes:
Set EnablePrefetcher to 0.
Set EnableSuperfetch to 0.
To disable Superfetch/Prefetch run services.msc and right-click properties of the Superfetch service.
Change the startup type to “Disabled”.
[4]
[5]
2.5.2 Write caching
To disable write caching, go to Control Panel->Hardware and Sound and click on Device Manager under
Devices and Printers. Expand the Disk drives tab in Device Manager and right-click Properties of the
selected disk. Under the Policies tab uncheck “Enabled write caching on the device” and press the “OK”
button to save the changes.
[6]