This is for a WinXP SP2 or SP3 CD. If you're using an older CD (SP1 or RTM), I strongly advise not giving this machine a direct Internet connection, and having the SP2 / SP3 standalone installers already downloaded (I haven't taken a machine from SP1 to SP3 but I would assume it to be ok). I used to advise no Internet connection regardless of CD, but the Windows firewall has a pretty sensible config by default at the moment (I don't know of any vulns that compromised it). Note: I would like to tweak my scripts a bit more here so that there isn't a time-sensitive stage of setup where the first script is inserted, but I need to test it a bit more yet. If the first script is left until the second stage of setup starts asking its first questions, then All Users\Start Menu and Default User\Start Menu has been populated with shortcuts. You can't just xcopy the old folder over the new one. One reason why is that in 'My Computer', 'Shared Documents' just gets labelled 'Documents'. I don't think there are other reasons, but I don't intend to let time test that one. *** Install guide instructions start here *** I advise unplugging any USB mass storage devices, card readers, etc. They get allocated drive letters that most people would prefer to have allocated to fixed disks. Configure PC BIOS to boot from CD. Boot from CD. Partitioning - create two partitions - one 8GB partition, and one encompassing the rest of the disk for your apps and data. Do not install yet! Exit setup, reboot, and you'll notice the drive letters allocated to the partitions are now C and D drive rather than say C and E (because of your CD drive for example) I went with 4GB for a long time, but with service packing the Windows folder balloons in size, even after deleting the uninstall folder. IE7 adds to that as well. 8GB (possibly larger) should also be considered with say >2GB RAM, if you want to use hibernate mode, for example. Reboot. Get back to the partitioning stage of setup, you'll notice that the drive letters have changed to C and D. Minor niggle really, I just find it irritating when a CD drive is given a drive letter between disk partitions. Install onto C drive. Quick format will do fine, honest. I've used it loads of times before even on a brand new disk. It's also what Vista does during setup. When this phase of setup is done, reboot. ** THIS IS A TIME-SENSITIVE STAGE OF SETUP, PAY ATTENTION! ** On reboot, when Setup continues with its usual screen, press Shift+F10 ASAP. Next, you should check to see whether the win32 subsystem has been loaded yet. Try loading task manager (TASKMGR). If it gives an error, the win32 subsystem isn't loaded yet. Keep trying the command every few seconds until Task Manager loads, then eject the CD when the access light isn't on. (usually what will happen is that Setup will just ask for the CD back - at worst, the CD was ejected mid-file-access, and Setup will bomb out. If this happens, reboot and that stage of Setup will restart) You should have a command prompt on the screen. Check that D drive is unformatted, then do: FORMAT D: /FS:NTFS /Q I call this partition 'Apps Data' myself, but that isn't important. Next, I use a CD or floppy to do this (no drivers for USB mass storage yet!) - you need ROBOCOPY and JUNCTION (both are free downloads from microsoft.com). My batch file contains the following: MKDIR "D:\Apps" MKDIR "D:\Documents and Settings" MKDIR "D:\Backup" MKDIR "D:\Backup\System" MKDIR "D:\Backup\System\Drivers" MKDIR "D:\Temp" robocopy "C:\Program Files" "D:\Apps" /MIR /R:0 robocopy "C:\Documents and Settings\All Users" "D:\Documents and Settings\All Users" /MIR /R:0 robocopy "C:\Documents and Settings\Default User" "D:\Documents and Settings\Default User" /MIR /R:0 REGEDIT migration1.REG ECHO Nothing destructive has happened yet, but C:\Program files is pending deletion. RMDIR "C:\Program Files" /s /q MKDIR "C:\Program Files" JUNCTION -s "C:\Program Files" "D:\Apps" and MIGRATION1.REG contains: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList] "ProfilesDirectory"=hex(2):44,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,\ 00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,\ 69,00,6e,00,67,00,73,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19] "ProfileImagePath"=hex(2):44,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,\ 00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,\ 69,00,6e,00,67,00,73,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,\ 00,76,00,69,00,63,00,65,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20] "ProfileImagePath"=hex(2):44,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,\ 00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,\ 69,00,6e,00,67,00,73,00,5c,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,\ 00,65,00,72,00,76,00,69,00,63,00,65,00,00,00 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] "AppData"="D:\\Documents and Settings\\NetworkService\\Application Data" "Cookies"="D:\\Documents and Settings\\NetworkService\\Cookies" "Cache"="D:\\Documents and Settings\\NetworkService\\Local Settings\\Temporary Internet Files" "History"="D:\\Documents and Settings\\NetworkService\\Local Settings\\History" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion] "ProgramFilesDir"="D:\\Apps" "CommonFilesDir"="D:\\Apps\\Common Files" --- Don't bother trying to delete the profile folders yet, it won't work. Pop the XP CD back in and continue setup. [keymap / locale options] top customise button: Regional options > UK in both combo boxes [apply] languages tab > Details > select UK in combo box, then [remove] US keymap from lower list [apply] Advanced > Tick [turn off advanced text services] advanced tab > UK [OK] Next Machine name (no spaces!) Admin password Choose timezone, correct clock if necessary - networking: choose 'custom'. Configure your NIC if necessary. - uninstall QoS - untick "Client for MS networks" and "File/Print sharing for MS networks". - Keep "Internet Protocol (TCP/IP)" ticked, go into properties. - configure the "general" tab however you need it. - select "Advanced". - "DNS" tab > Untick "Register this ... in DNS". - "WINS" tab > Untick "Enable LMHosts lookup" and select "disable NetBIOS". - OK. configure TCP/IP [Properties] to your requirements, but: * advanced: DNS > untick 'register this connection in DNS' * WINS > untick 'enable LMHOSTS' choose 'disable NetBIOS over TCP/IP' OK your way out of that lot, hit next, next again (ignoring workgroup). register with MS: No. Skip Internet bit. Automatic Updates - No. Windows boots for the first time. CP > user accounts, change the way users log on and off: - untick use fast user switching (slight performance tweak) Second script: xcopy /e /c /h "C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures" "D:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures" xcopy /e /c /h "C:\Documents and Settings\All Users\Start Menu" "D:\Documents and Settings\All Users\Start Menu" RMDIR "C:\Documents and Settings" /s /q MKDIR "C:\Documents and Settings" JUNCTION -S "C:\Documents and Settings" "D:\Documents and Settings" MKDIR "D:\Backup\System\I386" XCOPY /e /c /h "E:\I386" "D:\Backup\System\I386" "D:\Backup\System\I386\winnt32.exe" /cmdcons ATTRIB C:\BOOT.INI -r -s -h NOTEPAD C:\BOOT.INI ATTRIB C:\BOOT.INI +r +s +h MIGRATION2.REG: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] "SourcePath"="D:\\Backup\\System\\I386" - Untick 'Allow Indexing Service...' from all NTFS drives (drive properties) setting from all drive properties. Label C drive 'Windows XP', at least that's what I do. - Control Panel > Add/Remove Programs > Windows Components: - indexing service - Outlook Express - Windows Messenger - MSN Explorer (don't restart) - services config: set the following services from auto to manual, don't stop them!: - Automatic Updating - Background Intelligent Transfer Service - COM+ event system - Computer Browser - DHCP Client (if you're using DHCP, read http://www.legolas.com/wac/dhcpnote.txt) - Distributed Link Tracking Client - Distributed Transaction Co-ordinator - DNS Client - IPSEC Policy Agent - Logical Disk Manager - Messenger - Print Spooler - Protected Storage - Remote Registry Service - Secondary Login - Server - Terminal Services - Themes - TCP/IP NetBIOS Helper Service - Windows Management Instrumentation - Workstation - (XP Pro only) local security policy - local policy: audit: acc logon: F, acc manage:F S/F, login: S/F, Policy: S/F - user rights: - Access from network: No-one - Log in locally: Admins - security options: - additional permissions for anon: do not allow enumeration - Disable Ctrl+Alt+Del: DISABLE - LAN Manager auth: Send NTLMv2, reject LM and NTLM - computer manager - event log: set all logs to 512KB, overwrite as needed - Indexing service: delete all indexes - rename admin user - (if needed) configure dial-up internet connection - enable internet connection sharing - network tab: TCP/IP properties: advanced: DNS: untick 'register...' - disable DCOM http://www.legolas.com/wac/dcom.txt - device manager - view > show hidden devices - disable: - network: direct parallel - network: WAN Miniport (L2TP) - network: WAN Miniport (PPTP) - Non PnP: diskperf - Non PnP: NetBIOS Over TCP/IP - Non PnP: Parallel - Non PnP: Parport - Non PnP: ParVdm - Non PnP: RAS Auto connection driver - install any drivers for your hardware, storage drivers last, then reboot. - I activate Windows once all hardware is installed and everything seems ok, but this could wait a bit longer (30 days longer at worst). - Install latest service pack (SP1 at least is needed to disable DCOM properly) - Install IE6 SP1 (not necessary with XP SP2,3) - Install DirectX 9 (latest revision) (not necessary with XP SP2) - install post- service pack patches (an automated, quiet method using VBS available here: http://www.legolas.com/wac/install_patches_with_vbs.txt) - disable any performance counters you don't want (these also reduce errors in event log) (see http://www.legolas.com/wac/perfmon.txt, but I'll probably upload my reg file for this soon) - configure filetypes to not have OE as reader for .eml and .nws files notepad/a text viewer instead (security tweak) - group policy (see http://www.mikeymike.org.uk/wac/group_policy.txt for a 'how to get to this') - computer config > admin templates > system > logon: max retries to unload and update user profile: 2 (stops logoffs taking ages) - user config > desktop > active desktop disable active desktop: enable (reduces explorer memory usage) - Set all user TEMP variables to (whatever your data drive is, assuming D) D:\TEMP - Set system TEMP variables to D:\TEMP - install any other software needed. - defrag system partition, maybe other partitions too if necessary - defrag registry files (a util from www.sysinternals.com, PAGEDFG does this) - GUI tweaks: - CP > 'switch to classic view' > View > List > Tools > Options > 'Use Windows classic folders' > View > reset all folders, then apply to all folders [ ] auto search [ ] display file size [ ] display simple folder [x] display contents of system folders [x] display full path in address bar [ ] display full path in title bar [x] do not cache thumbnails [x] show hidden files/holders [ ] hide extensions for known file types [ ] hide protected OS files [ ] launch folder windows in seperate process [ ] restore previous folder windows at logon [ ] Show Control Panel in My computer [x] show encrypted files in alternate colour [ ] show pop-up descriptions [ ] use simple file sharing > Desktop > 'Windows Classic' theme > Appearance > Effects > switch off font smoothing if you don't want/need it > transition: scroll, then disable > disable shadows > Desktop > Customise Desktop > Show icons you want > disable desktop cleanup > Set a non JPEG/GIF/PNG wallpaper, don't stretch > Settings > Choose preferred colour depth/resolution, in advanced check that the highest refresh rate your monitor can handle is set. Modified: 31/10/2008, Mike Moratz-Coppins. Tested on: WinXP Home/Pro www.mikeymike.org.uk