Mapped drives (incl net use) missing from elevated processes eg UAC cmd run as administrator

Mapped drives created in Windows Explorer Tools -> Map network drive OR via command prompt (cmd.exe) net use command will not be visible in programs that “run as administrator” ie with elevated privileges.

Eg if you do Start Orb -> type “cmd” without the quotes into the search box -> right click on cmd and select “run as administrator”

…then you will get an command prompt running with elevated privileges.

(There other other ways to get an elevated cmd prompt if you dont want to be bothered by UAC.)

If you do net use in that command prompt to show mapped netowrk drives, you wont see the same as you see in un-elevated or in windows explorer.

The key tidbit going on here is that an administrtor accoutn has 2 access tokens, a filtered and regular. Regular is priviledged / elevated. Filtered has the privs filered out, if you will.

And mapped drives are associated with only 1 particular access token; 1 or the other, not both.

A key to understanding this mechanism is

This article is so important, i quote it below so that if it ever goes away it’ll still be here. And i quote it with its user comments, cuz they are also key, in this case. Good, hi quality comments.

One of the places this technet article is referecned is

Microsoft KB

That was a technet article. Microsoft’s offical KB on it is here, but IMHO not as informative (and contains a bug)

One of the places this KB article is referecned is

Unfortunately the suggestion in this KB article is wrong, i think. It suggests to do net use without a drive letter:

To work around this issue, use the net use command together with a UNC name to access the network location. For example, at a command prompt, type the following command, and then press Enter:


I just tried this and it did not make the \\COMPUTERNAME\SHARENAME appear in the other net use listing.

Now it’s possible that even tho it did not appear in the net use listing, it did log me in in both prived and non-prived. I did not test this, cuz i was already logged in in both prived and non-prived and so it requires logging out to test and i cant do that right now for other reasons.

Quote of technet article

NOTE: the comments have important info, eg, some, but not all, ppl see the logon script that maps drives running at elevated privs, so that they see mapped drives elevated but not un-elevated; all hinges on what access token is in use when the logon script runs

Some Programs Cannot Access Network Locations When UAC Is Enabled

47 out of 70 rated this helpful Rate this topic

Updated: November 16, 2009

Applies To: Windows Server 2008 R2


After you turn on User Account Control (UAC) in Windows Vista or Windows 7, programs may not be able to access some network locations. This problem may also occur when you use the command prompt to access a network location.


This problem occurs because UAC treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

When a member of the Administrators group logs on to a computer running Windows Vista or Windows 7 that has UAC enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and you want to perform a task that requires a full administrator access token, UAC prompts you for approval. For example, if you try to edit security policies on the computer, you are prompted. If you approve the action in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.

When an administrator logs on to a computer running Windows Vista or Windows 7, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user provides approval in a User Account Control dialog box.

If a user is logged on to a computer running Windows Vista or Windows 7 and if UAC is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs.

When network shares are mapped, they are linked to the current logon session for the current process access token. This means that if a user uses the command prompt (cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.


This section contains steps that modify the registry. Incorrectly editing the registry may severely damage your system or make your system unsafe. Before making changes to the registry, you should back up any data on the computer. For more information about how to back up and restore the registry, see article 322756 in the Microsoft Knowledge Base (

To work around this problem, configure the EnableLinkedConnections registry value. This value enables Windows Vista and Windows 7 to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.

To configure the EnableLinkedConnections registry value

  1. Click Start, type regedit in the Start programs and files box, and then press ENTER.
  2. Locate and then right-click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Point to New, and then click DWORD Value.
  4. Type EnableLinkedConnections, and then press ENTER.
  5. Right-click EnableLinkedConnections, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart the computer.


Community Additions


Doesn’t work properly with Windows 8.x

On Windows 8 and Windows 8.1, ‘EnableLinkedConnections’ does enable mapped drives to appear for local Administrators however drives mapped to a subfolder of a share do not then map correctly. So if you try to map a drive to \\server\share\subfolder the mapped drive appears but is incorrectly mapped to \\server\share instead.

Does This Open A Security Vulnerability?

There are articles all over the internet that quote this registry hack. Most (,,,, and notably also state that using it opens a security hole.
Microsoft does not discuss (in the article above) whether this creates a security vulnerability or what it might be. I spent all morning trying to find this original article to find out what the security risk might be. I’m disappointed that it is not discussed.
So here are some questions:
• If there is a risk, what is it?
• If there is no risk, why isn’t it the default?
• Where did all those other sites get the idea that it is potentially dangerous?


Article seems correct to me.

I am seeing results consistent with the article and different than the two previous comments. I am a domain admin and when I log in, the drives mapped in the login script are available in Explorer and at a command prompt without elevated privileges. When I run a command prompt as administrator, the drives are not available. In the elevated command window, the drives are listed by net use, but show a status of unavailable.

Windows 7, 64bit and 32bit

Thank you, this solved my problem.

Some additonal information: I had a problem on my Windows 7 64bit system where mapped drives would not show when using the Win32Api function: GetLogicalDrives().

By adding the registry key, I was glad to see that my mapped drives were shown again.

However, on a my 32bit system, which does not have this registry key, mapped drives do get shown when using the Win32Api GetLogicalDrives() function…


Problem description is misstated.

This problem description in this article needs to be updated. Some of the statements in it are the exact opposite of the truth about how UAC works.

Drives mapped by logon scripts are only available to processes the are launched using UAC elevation or Run As Administrator. However, this article incorrectly states the reverse — that they are only accessible to processes started by the filtered logon token. To verify this, create a simple logon script to map a drive. Make sure that this drive has not been manually mapped already. Then logon to the computer with UAC turned on using and administrator account. Open Windows Explorer and there will be no mapped drive shown there because the drive is not accessible to the filtered token which is what Windows Explorer and non-elevated processes use to run. Open a command prompt and try to change the directory to the mapped drive. Again, it is not accessible. However, if you open a command prompt using Run As Administrator, you will see that you are able to change the directory to the mapped drive.

Likewise, if you launch a program that requires UAC elevation or run a program as administrator, you will also see that drives mapped by logon scripts are available to those programs,but not to programs that do not run elevated.
Please also note that drives that are mapped manually using Windows Explorer or net use in an unelevated command prompt are not available to processes that use the elevated token (elevated through UAC or using Run As Administrator). To test, manually map a drive through Windows Explorer and launch a program that prompts for UAC elevation or use Run As Administrator. Using the program, try to open a file on the mapped drive. You will notice that the mapped drive is not available. However, if you open an elevated command prompt and then use the net use command to map a drive, it will then be available to the elevated program.


Logon scripts and UAC

The text is incorrect imho. Windows 7 behaves like this: the logon script runs at the elevated account and mappings are made using this. After logon explorer starts with the standard account. Missing the registry key – the standard account does not see the mappings. Running an elevated cmd prompt reveals the mappings.

Important to note: the same behaviour is observed for accounts that are member of the Power Users group. No special permissions are given to the group but a logon script runs as Power Users, after logon the standard account does not see the mappings. There seems to be no way to elevate to a Power User. Hard to explain to your users. Ouch.
Best use the EnableLinkedConnections registry key to avoid this.


WiFi (Wireless) Security : WEP WPA WPA2


Wired Equivalent Privacy
WiFi Protected Access
WiFi Protected Access II
WiFi Protected Setup – Unlike the others, which encrypt traffic over the air from your device (eg, laptop, tablet, phone, Wii, ps3, xbox, tivo) to the wireless router, this one, WPS, is a way of setting up your router for the first time. It was meant to make setup, easy, even push-button, and to set you up, out of the box, with good security, but, sadly, it has a security flaw that makes the network INsecure. Doh!


My interest here is in answering the question “What security should i select?”

Unfortunately there is no one answer because of the timelines of deployment of these technologies.

The securist (is that a word?) is WPA2.

The only reason not to choose WPA2 is OLD DEVICES.

WEP was born in 1999, and was deprecated in 2009.

However, WPA came on the scene 2003, and started to become popular in machines manufactured in 2003 with sales ramp in 2004.

And WPA2 came on the scene in 2004, and started to become popular in machines manufactured in 2004 with sales ramp in 2005.

So if you have a device that’s from 2003 or before (today in year 2014 that’s 11 years ago–a long time in electronics), then that device will not support the strongest security, WPA2. Even if it’s from 2004-2005 it might not.

So if you set up WPA2 on your wireless router, your old devices (or the old devices of your friends and family who visit your home, or customers who visit your business) will not be able to connect.

For devices purchased in the year 2006, i’d say you have a mixed bag.
Some devices will support WPA2 (especially the more expensive ones) some wont (especially the budget-friendly / value ones).
Some devices will support still support WEP (especially the budget-friendly / value ones), and some won’t (especially the more expensive, security conscious ones).

WPA2 is safer than WPA, which is safer than WEP. WPA also has 1 year, maybe 2 year max, jump on WPA2. Meaning, if your devices was purchased in 2003-2006 it might have WPA and not WPA2.

WPA2 became standard in 2006. Most devices manufactured after this time and likely purchased in 2007 and later will be WPA2 compliant. Some of these devices will not even support WEP at all. So if you choose WEP for your wireless router, some NEW devices might not be able to connect.

So, what’s the answer? It depends on the age of the devices trying to connect. But, in 2014, we’re moving solidly into WPA2 and it’s getting more solid all the time, as old devices fade away.

Windows XP
FYI, Windows XP received an update in 2005 to support WPA2. It got an update in 2006. Those years were during the SP2 time frame, and WPA2 was included in the most popular SP3. HOWEVER, the PC hardware that Windows XP is running on has some kind of wireless adapter (all laptops do), and THAT has to also be WPA2 compatible. So, if you bought your laptop in 2005-2006, and you received the WPA2 WXP update, then you STILL might not be able to use WPA2 cuz of your hardware (even tho WXP could do it).

Support for WEP, WPA, WPA2 by year of purchase of device

(Note: year of purchase might be 1 year after year of actual MANUFACTURE.)

year of purchase: 2002 2003 2004 2005 2006 2007 2008 2009
security protocol support: WEP yes yes yes yes maybe maybe maybe maybe
WPA no maybe maybe maybe yes yes yes yes
WPA2 no no maybe maybe maybe yes yes yes


How do I search for a task in task scheduler (use autoruns)

Background on Windows Task Scheduler

If you’re already familiar with task scheduler skip to the answer

Windows (7, 8*) has many tasks that are scheduled to run at various times. Programs you install often create new tasks of their own to run at various times. These tasks can be set up to run at various times of day, or on various triggers, like system start, or user logon, or the start of a program (most likely a related program to run in a coordinated fashion).

You start task scheduler by

Windows 7:
clicking on the start orb (or hitting Ctrl-ESC) and typing “task” in the search box and clicking on “Task Scheduler”
Windows 8*:
Going to the tile screen (or hitting Ctrl-ESC) and just typing “task”. It’s in the “Settings” group; click on “Task Scheduler”.

How to search–You Can’t–Use autoruns

The short answer is that Windows Task Scheduler PROVIDES NO WAY TO SEARCH.
But, fortunately, another program Sysinternals autoruns, does.

Download autoruns here:

(it’s a .zip file so after downloading you’ll have to double-click it to open the .zip file and extract all the files in it to a folder that you’ll remember.)

Then double click on autoruns.exe to start it. (not the file with the ‘c’ in it’s name–that one runs the console-only application. That is, unless you like the command line style.)

Click the “Scheduled Tasks” tab to show ownly scheduled tasks.

Click File -> Find (or type Ctrl-F) and search for your task.

Once you find it, you can see the hierarchy in the first column of where it’s stored in regular task scheduler.


pastebin is a generic term for posting text (usually programming code) online so that others can see it.

For example, to collaborate with people on the internet to improve or debug code.

Or to post a long segment of code in an online forum; rather than include the code directly in the post, just post the link to the pastebin.

The original and namesake is;

Two others are hastebin and GitHub Gist

A related site/concept is jsfiddle which allows pasting of all 3 of these: HTML, Javascript, CSS, and will actually run them for you. So it’s a sharing and testing platform in one.

Enable Admin Shares (C$) on Windows 7

Enable File and Print Sharing

The first step to enable administrative shares is to make sure you have File and Print sharing enabled.  While you’re at it, I recommend turning on Network Discovery also

  1. Click the Windows button (formerly the Start button).
  2. Type “advanced shar” into the search text box (that’s all you need).
  3. Click the link to “Manage advanced sharing settings” (aka “Change advanced sharing settings”).
  4. In the window that opens, expand the “Home or Work” profile and browse to the “Network discovery” section.
  5. Click the link to “Turn on network discovery (Figure 1).
  6. Browse to the “File and printer sharing” section.
  7. Click the link to “Turn on file and printer sharing (Figure 1).
  8. Click Save Changes.

Note that this will only enable file and printer sharing for your home network. If you connect your computer to a public or “unknown” network, your shares will still remain disabled. It is not recommended, but If you want to change this, follow the above procedure for the “Public” profile.


Figure 1

Step 2: LocalAccountTokenFilterPolicy

The next step is to go into the registry and give local users the ability to access remote administrative shares. BE CAREFUL–you can destroy our system by editing the registry.

  1. Click the Windows button and in the Search box, type “regedit”. If you get a User Access Control warning, click Yes.
  2. The Registry Editor will open. Expand the items until you get to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System (Figure 3).
  3. Click Edit from the top menu then New and then DWORD.
  4. Type in LocalAccountTokenFilterPolicy for the name of the DWORD. Hit ENTER.
  5. Double click the new entry and enter “1” for the value. Click OK.
  6. Close the Registry Editor and reboot your computer.
IMAGE:Regedit create LocalAccountTokenFilterPolicy

Regedit create LocalAccountTokenFilterPolicy

What’s going on here?

You might be familiar with UAC (User Account Control)

IMAGE:UAC example

UAC example (for regedit in this case)

This is new for Windows Vista and Windows 7. It is Microsoft’s attempt at security. The idea is that before programs can do dangerous things, or access sensitive areas, the OS will prompt the user for an additional OK. If the user expects this, they can click YES, if it comes out of the blue, they can click NO. For example, if some program is running in the background without the user’s knowledge, and tries to change a sensitive area, this UAC prompt will come out of the blue, and the user can then click NO, protecting his computer.

Clicking YES to the UAC prompt enables what’s called as “elevated privilege”. Ie the process now has more privilege to access and change sensitive areas.

Well, when logging in from a remote PC, like you do when you’re trying to access a network admin share, even if you provide username and password to an administrator account, you do NOT get elevated privilege and there is no UAC prompt.

The LocalAccountTokenFilterPolicy turns this off. The values of 0 and 1 dont make any sense, so i provide mnemonics to help remember below.

Value  Description Mnemonic
0 This value builds a filtered token. This is the default value. The administrator credentials are removed. zero-no privileges
1 This value builds an elevated token. 1-privileges on


Start program WITHOUT UAC, useful at system start and in batch files (use task scheduler)

I like to run the search program Everything (link valid 6/4/2014 but check for any updates) but it is a stand-alone executable downloaded from the internet so it triggers a UAC (User Account Control) warning.

No biggie, but i also want it to start automatically when windows starts. And i dont want to have to click UAC or have my customers click UAC every time they start windows.

I also might want to put commands that must be elevated in batch jobs (.bat files) when there’s no one there to click YES to the UAC.

The workaround is to go thru task scheduler. There you can set up a task to start with elevated privileges which won’t trigger a UAC.

The article at contains the basic, but forgets some points.

My edits are in green:

Creating a Scheduled Task

1. Open Task Scheduler by clicking the Windows Orb and typing “task” and selecting “Task Scheduler” from the search results, or from Control Panel or by running the command control schedtasks from Start, Search box.

2. Left-click Task Scheduler Library category in the left to select it (make it highlighted; or else you can’t do “New Folder” below)

3. Right-click “Task Scheduler Library” category in the left, and choose New Folder

4. Name the folder as MyApps (or whatever name you choose; you’ll use the same name again, below)

5. Click the little triangle to the left of “Task Scheduler Library” to display the list of folders beneath it, including our newly created MyApps folder.
Select the MyApps folder (or whatever you named it) by left clicking on it once.

6. In the Actions pane on the right, click Create Task…

7. Type a name for the task that you want to create. You’re going to have to type this again later, so for convenience, keep it short and dont use any spaces.

8. Enable the option Run with highest privileges. This is an important step. In fact the key to the whole thing.

8.a. (FYI The “Hidden” checkbox refers to only viewing tasks in the task scheduler; there is way to show or now show hidden tasks when in task scheduler; This Hidden settings does not make the task hidden in any way when it runs.)

9. Select the Action tab

10. Click New

11. Click Browse… to select the program (Example: Regedit.exe) you want to run, and mention the parameters (called arguments in task scheduler). required if any, for the application. (For example, to run a .REG file, select Regedit.exe and mention the parameter (argument) as “/s filename.reg” without the quotes. Another example: my Everything program takes a -startup argument to start in the system tray rather than with a window.)

To run Services MMC applet, browse and select MMC.EXE and type services.msc in the Add arguments (optional) field.

12. Select the Conditions tab

12.a. UNcheck “Start the task only if the computer is on AC power”

13. Select the Settings tab

13.a UNcheck “Stop the task if it runs longer than”

13.b at the bottom there is “If the task is already running, then the following rule applies:” You can choose whatever you want here.

If when it’s running you want to not start another one, select “Do not start a new instance”.

If when it’s running you want might want start another one running simultaneously, select “Run a new instance in parallel”.

If when it’s running you want to end the one that’s currently running, and start another one running, select “Stop the existing instance”.

I suppose “Queue a new instance” is helpful, but i can’t think of an example right now.

Note, you can export this to an xml file (see below) and then import it into another system

Creating a Scheduled Task via cmd line schtasks

(NOTE: this method is NOT AS GOOD–see below)

Alternatively, you can create a task via the cmd line schtasks :

schtasks /create /sc once /tn cmd_elev /tr cmd /rl highest /st 00:00
invoke the schtasks.exe cmd line program
schtasks can also query, delete, etc; we want to create a task
/sc once
how often to run; we’re not creating a repetitive task; in fact we dont want to run it at all, just set it up to be run manually, but that option does not appear to be available, so “once” is the closest (see explanation at /sc starttime)
/tn cmd_elev
/tn stands for Task Name and you can name it anything you want (but you have to use the same name when you later invoke /run
/tr cmd
the command to run, in this case the cmd.exe program, aka command prompt
/rl highest
Why we came to the party. /rl stands for Run at privilege Level; and we want the highest priv level

/st 00:00
/st stands for Start Time; dont want a start time, but it appears to require one. When you create thru the GUI you dont have to have a trigger at all, but via cmd line you seem to (or was it just me?). I just put in 00:00 (format is HH:MM) which is never in the future, which means it’ll trigger a warning

WARNING: Task may not run because /ST is earlier than current time.

Yeah, that’s what i want. (NOTE: love those microsoft guys: it’s a nit, but when the time is EQUAL to the current time, you get the warning)

If all goes well, you should see

SUCCESS: The scheduled task "cmd_elev" has successfully been created.

or whatever name you called it.

If you re-run the line (let’s say you were experimenting 😉 you will get the warning

WARNING: The task name "cmd_elev" already exists. Do you want to replace it (Y/N)? y

You can safely say Y to this.

NOTE: this method is NOT AS GOOD as creating thru the GUI. At least i could not find the switches to set some important things.


  • “start the task only if the computer is on ac power” will be checked in the conditions tab; not ideal
  • “stop the task if it runs longer than [time]” where time defaults to “3 days” will be checked in the setting tab; not ideal

Launching a Scheduled Task item manually

To run a scheduled task item manually, use the schtasks.exe command-line tool that comes with Windows. For example, to launch the Services console task that you already created, use the following command:


Note: Where MyApps\REGEDIT is the name you chose for the folder and Taskname. You’ll need to enclose the task name within double-quotes if the task name contains blank spaces in between. (Example: SCHTASKS.EXE /RUN /TN folder\“Name of the Task”) If the folder has spaces, you’ll have to enclose that in double-quotes; perhaps best to enclose the whole thing. (Example: SCHTASKS.EXE /RUN /TN “folder\Name of the Task”)

Creating Shortcuts to run each Task

You can create a Desktop shortcut for each scheduled task item you’ve created earlier. Right-click on the Desktop and choose New, Shortcut. Type the command-line (say, SCHTASKS.EXE /RUN /TN MyApps\REGEDIT). Mention a name for the shortcut and click Finish.

Run the task minimized

As Schtasks.exe is a console utility, you’ll see the Command Prompt window opening and closing quickly whenever you run the shortcut. So, you may configure the shortcut to run in a minimized window state, in the the shortcut properties.

  • Right-click on the shortcut and click Properties.
  • In the Run drop-down options, change the selection from “Normal Window” to Minimized.
  • Click OK.

Note: In the shortcut properties, you may want to click Change Icon and assign appropriate icon for the shortcut. The icons should be present inside the executable itself, in most cases. For Regedit.exe, browse to Regedit.exe and choose an icon. You may also browse the shell32.dll and imageres.dll files for additional icons.

xml file

Once you set up a task the way you like it via the GUI (recommended method), you can export it to an xml file so that it’s easier to set up on the next system.

Here’s my xml file for (Search) Everything. Filename ends in .xml.txt so change it to just .xml befor importing to task scheduler. start_search_everything.xml.txt

Other Methods

There are at least three other compelling methods.

The first two come from

1. NirSoft NirCmd

nircmdc has an elevate cmd

nircmdc elevate cmd

2. SysInternals PsExec

Part of PsTools suite.

psexec.exe -accepteula -h -u “$username” -p “$password” cmd.exe

The “-h” switch is the one doing the magic:

-h If the target system is Vista or higher, has the process run with the account’s elevated token, if available.

The third comes from

3. vbs or PowerShell to elevate

key lines are to use the visual basic script / vbscript command UAC.ShellExecute to perform the elevation, create a new cmd (command prompt), and re-run the original bat file, now elevated. Does that by writing a .vbs file:

ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"

Or, you can use PowerShell to elevate:

if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( powershell "saps -filepath %0 -verb runas" >nul 2>&1)

Elevated command prompt and mapped drives

One problem you might encounter when using this method if you’re running a batch file (.bat) in elevated mode, is: Mapped drives (incl net use) missing from elevated processes eg UAC cmd run as administrator. Fortunately, there’s some solutions in that blog post.

Windows 7 ISO direct Digital River download links from Microsoft

UPDATE 11/8/2015:

You can try them, but 11/8/2015 they redirect to Microsoft Home Use Progrgam (hup) for employees of corporations that have paid for MS software licenses at work.

Best thing to do is keep googling for links. Sometimes you need a key to get the download–but then dont need a key to install as trial.

An excerpt from the excellent Sean’s Windows 7 Install & Optimization Guide for SSDs & HDDs at url: <>

Windows 7 ISO download links:

  • Have you lost your disc or is it damaged beyond use and need a legitimate copy of windows 7?
  • Are you getting error messages or BSoDs with your installer?
  • Do you just want a copy of Windows 7 with SP1 pre-installed?

    These are new SP1-U ISOs directly from Microsoft; having a direct Digital River download from Microsoft is the only way you can link Windows 7 downloads on this site. You will still need an activation key to use these copies after the 30 day grace period is over.

    Windows 7 Home Premium SP1-U ISO:
    English 32-bit


    English 64-bit

    Windows 7 Professional SP1-U ISO:
    English 32-bit


    English 64-bit

    Windows 7 Professional N SP1-U ISO: (Note: N editions come without media components)
    English 32-bit


    English 64-bit

    Windows 7 Ultimate SP1-U ISO:
    English 32-bit


    English 64-bit


    Multilingual Windows 7 versions here: (link)

SSDs (Solid State Drives)

Jump right to Contenders for purchasing.

An SSD is a Solid State Disk Drive (also known as a Solid State Disk), a new kind of storage device that has entered the mainstream in 2014. The disk drives you’ve been used to all along are regular HDD’s. A regular HDD contains a round disk called a platter on which the bits of information are written. It contains a spindle that spins, or “drives”, the platter so that the “head” can read and write information from and to the platter as it spins underneath. It is a “Hard” Disk Drive (HDD) to differentiate it from “floppy” (or flexible) platters that were used in the past (ending in the 1990s).

A Solid State “Drive” doesnt “drive” anything, and doesnt contain a disk or platter. So it’s a misnomer. But since it is a replacement for a HDD it is known by the term Solid State “Drive”.

On the inside it is basically a large USB Drive, configured to work as an internal hard disk drive (HDD).

It’s a drop-in replacement for an internal hard drive. With some caveats which i’ll discuss.

It is a drop-in replacement for 2.5″ drives. SSDs tend to be sized the same as 2.5″ HDDs. Ie laptop hard drives. Also, they have a SATA port and interface, so they will plug into the current standard drive interface in nearly all PCs today. You might want v3 of SATA (SATA IIII aka SATA 6.0Gbits/s) to take advantage of the SSD’s additional bandwidth capabilities, but it will work with the previous STAT II installed in most PCs that are a few years old.

So, you can pull out your old drive, and plug in your SSD, and it will work.

Well, sorta.

3.5″ drives, or desktop drives

The first problem is if you have a desktop. SSDs are 2.5″ so they plug right into laptops. But most desktop drives are 3.5″. So you’ll need a physical adapter. The adapter is 3.5″ on the outside, and 2.5″ on the inside. You plug your 2.5″ drive (eg, your SSD) into the adapter (or screw the adapter onto your 2.5" drive), and then the adapter plugs into your desktop PC. Sometimes you need to get a special one from the PC maker.

Erase-before-Writing Requirement

The other 3 issues:

  • wear leveling
  • write amplification
  • Partition Alignment

require some background info to be able to talk about them.

It’s all about how writes happen. Reads are easy and just work.

Here are some key facts to keep in mind, which are crucial to understanding what’s gonig on:

  • Data is written 4KB at a time. These are typically called pages.
  • An SSD can NOT overwrite data. It has to erase it first. So to write, it has to perform a sequence of:
    1. erase
    2. write
  • Data is erased 256KB at a time.
  • A brand new SSD is empty, ie fully erased.
  • Most file systems (developed with HDDs in mind) when they delete files, they dont erase them. They just mark the spots as available for overwrite and leave the old data there. This is problematic for SSDs, cuz that old data DOES have to be erased. More below.

These facts mean you write 1 page at a time (4KB), but you erase 64 pages (256KB) at a time.

In the picture below, you write the blue block. But if you want to erase, you have to erase a BUNCH of adjacent 4KB blocks simultaneously.


(Note that in the picture above, to save space, only 9 x 4KB pages are shown, but in reality there would be 64 x 4KB pages in each 256KB block.)

So, for a new SSD, everything is golden, and writes of only 4KB happen everywhere into free (erased) pages and we’re fine.

The problem comes when we run out of space and have to re-use some old pages.

The OS filesystem will do this. It will have some disk pages that contain data that it knows is from a file that has been deleted. It will instruct the disk (SSD in this case) to overwrite this space.

But the SSD can not simply overwrite, it has to erase first, then overwrite.

And to erase, it has to erase 256KB (64 pages). If ALL of those 64 pages are unused (aka stale), and the SSD knows it (the OS filesystem knows more than the SSD does), then it can simply erase all 64 pages. But more than likely, some of the 64 pages contain real data that must be preserved.

So…the SSD has to copy the good pages to a safe place, erase the whole 256KB block, copy back the good pages, then write the new page that was requested.

In reality, what the SSD really does is pick another entire 256KB block somewhere that’s entirely empty, and copy the good pages to it, re-map where those good pages data is, then write the new page that was requested, keeping in mind its new mapping.

Either way this process is SLOW and would essentially reverse all of the speed benefits of SSDs in the first place.

In the pic below, you see 4 pages (A-D) written.

Then 4 more pages are written (E-H).

Then the original 4 are “overwritten”, meaning the OS has written new versions (A’-D’), and told the SSD that A-D are invalid. So the SSD knows A-D are now unused.

Until an erase happens, the supposedly free pages A-D can not be used by the SSD. So to re-use A-D, the SSD has to copy the good pages (E-H and A’-D’) somewhere else first so it can erase the block:
800px-Garbage_Collection(click to enlarge)

The other problem with this whole erase & write issue is that it causes extra writes (re-writing perfectly good data) to happen. These extra writes wear out the SSD faster. The extra writes are called “write amplification” (see below).

In fact without remediation an SSD would die in a month or 2. So all SSDs are remediated.

Write Amplification

Because of the erase-before-writing requirement (see above), there’s all kinds of re-writing of good data going on. This means, that if you measured the writes going into the SSD at its interface, you would measure a certain amount of writes, but if you looked at what was going on inside the SSD, you’d see a lot more writing going on.

More writes going on inside than the OS asked for is called write amplification.

Garbage Collection

It would be impractical for the SSD to wait for a write command from the OS and then do its erase-then-write. That would be too slow, and no one would buy SSDs. So, instead, SSDs go about doing proactive garbage collection. This is a process by which they move data around creating entire blocks which are all unused data. Then they can erase those blocks when the SSD is idle, and be ready for a speedy write when asked for by the OS.

They also re-map pages. That means the OS asked me, the SSD, to write data at A but i am going to put it at B, and remember the mapping from A to B, so that when the OS asks to read the data at A, i know where to get it.

That’s another way to keep a full set of 64 pages of good data in a block, and keep other blocks completely empty.

All good for speed, but all this proactive activity creates more re-writes of good data, and thus increases “write amplification”.


Wear Leveling

So, another limitation of SSDs (they are not quite a silver bullet, not quite the best thing since sliced bread), is that a given bit of storage can only be re-written 1000 times, for a low end device. Up to 100k for a very hi-end (and expensive!) device. The amount of times you can write a cell is called “write endurance”.

You could easily exhaust that resource in a month of windows running on a drive. There’s lots of things that windows overwrites constantly.


SSDs try to ensure that each bit is written the same number of times, or as close as they can get.

But, some data, like OS files, or maybe your pictures and videos, are written to the disk and just stay there, for YEARS. Unchanged. If SSD did nothing, those bits would have 1 write cycle, while other bits have 100s and 1000s and the drive would die.

So, SSDs move static data around, so it can write some of that rapidly changing data to the fresh bits.

But, these extra writes increase write amplification. In the end, however, it’s a net increase in life for the drive.


Partition Alignment

The OS tends to read and write X-size blocks. You really want those to be aligned to the natural alignment of the SSD.

If not, then the OS block will overlap TWO SSD blocks. So when the OS writes that block, you will have to write (and thus erase) TWO SSD blocks. that’s wasteful, so align your OS.

That means your partition has to be aligned. I’m not sure how to do this yet.


That’s when you say the drive has a certain size, say 500GB, but it really has more, say, 600GB, which would be an extra 20%. The SSD uses this space internally to perform writes with erase, and to do garbage collection, and to move around data proactively to evenly distribute wear (“wear leveling”).


SLC – Single Level Cell
Means 1 bit per cell.
The most expensive.
The most number of writes, 100,000 range, lifetime
MLC – Multi Level Cell
Means “multi” bits per cell, but in practice it is almost always 2.
Middle number of writes, 10,000 – 30,000, lifetime

Altho,,3498-4.html said the MLC’s will do only ~5,000 P/E cycles, and something called “eMLC” (“e” for enhanced, i would guess) could do ~25,000-30,000 P/E cycles.

TLC – Triple Level Cell
Means triple (3) bits per cell.
The least expensive.
The least number of writes, 1,000 – 3,000, lifetime

Altho,,3498-4.html said the MLC’s will do only ~5,000 P/E cycles, and something called “eMLC” (“e” for enhanced, i would guess) could do ~25,000-30,000 P/E cycles.

How to optimize

SSD Speed Tweks at < >

SSD Optimization Guide from <>


Samsung EVO 500GB

NO: Has TLC so many fewer writes (lower write endurance).

$349.99 maybe free shipping at TigerDirect on 3/12/2014

The 840 EVO is missing power loss protection, cross-die redundancy

– From: SSD Deathmatch: Crucial’s M500 Vs. Samsung’s 840 EVO – at tom’ <,3551-14.html>


Crucial M500 WINNER – March, 2014

480GB $239.99 at on 3/12/2014.

Is it 512GB factory overprovisioned? YES

1.2 million hours mean time to failure (MTTF)

Write Endurance: 72TB total bytes written (TBW), equal to 40GB per day for 5 years

Seagate 600 480GB

They also have a Pro version.


Is it 512GB factory overprovisioned? I believe NO since the Pro verrsion has a 400GB factory overprovisioned and a 480GB non-factory overprovisioned. I assume this one is also not factory overprovisioned as it’s the consumer market.

$249.99 Free Shipping at TigerDirect 3/12/2014.

Extensive Specs

Nonrecoverable read errors, max : 1 LBA per 10^16 bits read

10^16 bits = 10^15 bytes, approx.
1GB = 10^9 bytes = 10^10 bits.
so 10^16bits = 10^6GB which is 1million GB.
This drive is 500GB, so you get 1 bit error every 2 million times you re-write the entire drive.
Not bad at all.

Annualized Failure Rate (AFR) : 0.58%

Endurance : 40GBs (max capacity) host writes per day

Limited Warranty With Media Usage: This warranty is based on the shorter of term and endurance usage of the drive: 36 months or 73 (max capacity) TBW (total TeraBytes written) or 73TB TBW (total bytes written) whichever comes first. That’s writing the entire drive 146 times over.

Typical Data Retention with Power removed (at 40°C) : 12 months (Note: As NAND Flash devices age with use, the capability of the media to retain a programmed value begins to deteriorate. This deterioration is affected by the number of times a particular memory cell is programmed and subsequently erased. When a device is new, it has a powered off data retention capability of up to ten (10) years. With use the retention capability of the device is reduced. Temperature also has an effect on how long a Flash component can retain its programmed value with power removed. At high temperature the retention capabilities of the device are reduced. Data retention is not an issue with power applied to the SSD. The SSD drive contains firmware and hardware features that can monitor and refresh memory cells when power is applied.from: Seagate 600 SSD Product Manual.pdf)

Seagate 600 Pro

They also have a non-Pro version.

Seagate 600 Pro-Series 200 GB SSD Review: For The Enterprise – at tom’ <,3498.html>

The 600 Pro ships in six capacities: 100, 120, 200, 240, 400, and 480 GB. This is a fairly interesting set of configurations, since the 100, 200, and 400 GB models are simply factory-over-provisioned versions of the 120, 240, and 480 GB offerings

OCZ Vertex 460 480GB $354.99 maybe free shipping at TigerDirect on 3/12/2014
Intel® 730 Series 480GB

$449.99 + shipping at TigerDirect on 3/12/2014

70GB writes per day for five years (compared to the industry typical 20GB)

SanDisk Extreme II 480GB


Windows ClipBoard Viewer

When you cut and paste, what you cut is stored in the windows “clipboard”.  You can cut and paste (or copy and paste) using the Edit -> Cut (or Edit -> Copy) and Edit -> Paste menu options in nearly all programs.  Or you can cut (or copy) and paste using the Ctrl-X (or Ctrl-C) and Ctrl-V keyboard shortcuts.  As you probably know, “cut” deletes the old one, whereas “copy” preserves the old one.

Either way, this “clipboard”  which stores your cut (or copy) is normally invisible.

On Windows XP there was a way to view it.  You had to run the program "clipbrd" (file: clipbrd.exe) and because it was in the C:\WINXP\system32 or C:\Windows\system32 folder you could run this by using Start->Run and typing clipbrd into the box.

Windows Vista and Windows 7 do not contain the clipbrd program file.

But, you can copy the file from a Windows XP system and just place it in your Windows Vista or Windows 7 C:\Windows\system32 folder and it should just work.