Question Windows Profile that launches VM - Possible?

[SyCoREAPER]

Even hacky solutions are on the table.

Someone keeps *expletive* the family computer at my parents house. I'm tired of fixing it when I go over. I know I could spy on it, track every click and site visited, do all the creepy stuff by I don't want to do that.

I'd like to have a VM open when you click a user profile, I just don't know how. I'm sure there are 3rd party apps but I don't know of any or how to even phrase a search for it. The only solution that keeps going through my head is install an internet Cafe like software that locks down the entire PC and only allows launching a VM but I'd like something a little more seamless.

Simply running a VM fullscreen at login obviously won't work because it won't lock down/protect the system even if I restrict virtually everything in gpedit which would also be very time consuming.

 

[hotaru.hino]

There's an easier way to do this.

Create a local Standard level user account that's easily accessible and lock down the others tightly. You can take this a step further by assigning the account as a Guest, which will further heavily restrict what they can do. See

View: https://www.youtube.com/watch?v=-U6UPlWxDI0

If you have other user accounts that have admin rights, either create a local admin account and change theirs to Standard users, remove those accounts from the OS, or ask the owners to change their password (going on the assumption whoever's mucking around with the computer knows one of those accounts' password)

Basically a Standard user account can't make any system level changes. It'll elevate the UAC prompt, but it'll require them to login as an admin. As long as the admin account has a password that isn't guessed so easily, they can't really do anything to break the system.

You can also setup web browsers to tell them to not remember a thing, but those settings are per user account so if someone knows what they're doing, they can undo that.

 

[USAFRet]

Someone keeps *expletive* the family computer at my parents house. I'm tired of fixing it when I go over. I know I could spy on it, track every click and site visited, do all the creepy stuff by I don't want to do that.

As above, Local Standard User account.
They can't install squat without the admin pwd.

 

[SyCoREAPER]

It's not just installing. I want the entire PC sandboxed. Safe from web threats, poking around, etc..

That way if I know exactly who is the one breaking it based on the VM and also not have to redo Windows every time, I can just store and restore a backup of the VM image of the respective user as if it were a fresh install.

 

[USAFRet]

You could probably hack a solution to launch a VM upon "ThisUser"

But, any sufficiently motivated young idiot will get around that.

Solution?
Give him his own hardware. A whole, cheap, PC, for him to screw up.
No access to the other family system(s).

 

[NedSmelly]

You could add a startup instance for the VM server in Settings > Apps > Startup and go from there, depending on which VM platform you intend to use (e.g. Windows Sandbox / Hyper-V, VirtualBox, etc). And yes, lock down user privileges in the Windows account to begin with.

If it's a 10-year old aspiring hacker doing all this then you'll need to do more than just lock down a VM - you'll need to password the BIOS, turn off USB support, weld the case shut, etc...

TBH this sounds like more sysadmin effort than just setting Standard User / Guest User and occasionally doing maintenance remotely.

 

[USAFRet]

You could add a startup instance for the VM server in Settings > Apps > Startup and go from there, depending on which VM platform you intend to use (e.g. Windows Sandbox / Hyper-V, VirtualBox, etc). And yes, lock down user privileges in the Windows account to begin with.

TBH this sounds like more sysadmin effort than just setting Standard User / Guest User and occasionally doing maintenance remotely.

But what makes this human only be able to use a VM instance from that same host Widows system?

 

[NedSmelly]

But what makes this human only be able to use a VM instance from that same host Widows system?

I suppose the other question is more an ethical one - if the computer belongs to the OP's parents then they can do whatever they want. I'd want to know exactly what role the OP is playing here. Did their parents ask for help, or are they being directed by the OP?

 

[USAFRet]

I suppose the other question is more an ethical one - if the computer belongs to the OP's parents then they can do whatever they want. I'd want to know exactly what role the OP is playing here. Did their parents ask for help, or are they being directed by the OP?

Right.

A LOT of questions like this need a social solution, rather than a technical one.

There are probably a lot of ways to do what the OP wants.
But given the same PC, a sufficiently motivated geek teenager will get around all that, and continue to screw up the family PC.

Give him his own hardware.
"You get one and only one 'FIXIT' from me....after that, that system is all yours"

 

[hotaru.hino]

It's not just installing. I want the entire PC sandboxed. Safe from web threats, poking around, etc..

That way if I know exactly who is the one breaking it based on the VM and also not have to redo Windows every time, I can just store and restore a backup of the VM image of the respective user as if it were a fresh install.

Given a sufficiently motivated individual, which it sounds like that's what we're dealing with, there's nothing you can really do other than what @USAFRet said, give them their own hardware.

If that's not viable and you want to lock this computer down, the next easiest method I can think of is make a Linux Mint bootable USB drive and take out the storage drive in the computer. Booting into this allows you to boot into an OS with some basic apps so you can still do stuff, but you can't modify the OS whatsoever while booted into it. Linux Mint is also a user friendly distro and has one of the gentlest learning curves going from Windows to it.

 

[TerryLaze]

and also not have to redo Windows every time,

You do know that you can take a clone of the whole system and restore it in like 10 mins right?!
If you setup windows on it's own partition then it's going to be even faster and you can keep a lot of installed stuff on the other partitions.

I'm pretty sure you can even automate the procedure so that the one screwing up the system can also restore it just by popping in the appropriate usb stick with the cloning tool on it.

 

[lantis3]

Not VM, not profiles, but different virtual disks.

View: https://www.youtube.com/watch?v=8T3BxqExMWQ

 

[SyCoREAPER]

Given a sufficiently motivated individual, which it sounds like that's what we're dealing with, there's nothing you can really do other than what @USAFRet said, give them their own hardware.

If that's not viable and you want to lock this computer down, the next easiest method I can think of is make a Linux Mint bootable USB drive and take out the storage drive in the computer. Booting into this allows you to boot into an OS with some basic apps so you can still do stuff, but you can't modify the OS whatsoever while booted into it. Linux Mint is also a user friendly distro and has one of the gentlest learning curves going from Windows to it.

I thought about a live Linux situation but I tested a few variants a while back and they don't like the hardware. It was slow as can be. Never seen Linux run that bad.

You do know that you can take a clone of the whole system and restore it in like 10 mins right?!
If you setup windows on it's own partition then it's going to be even faster and you can keep a lot of installed stuff on the other partitions.

I'm pretty sure you can even automate the procedure so that the one screwing up the system can also restore it just by popping in the appropriate usb stick with the cloning tool on it.

Yeah but then that wipes the good accounts/profiles without issues (in the scenario i proposed). My method, if I could figure out how to get running, would make each account modular in a sense and one profile wouldn't affect the whole system and as such a profile restore wouldn't hurt the accounts that aren't the issue like a whole clone would.

Not VM, not profiles, but different virtual disks.

View: https://www.youtube.com/watch?v=8T3BxqExMWQ

I'm literally half asleep but the beginning sounds like this might be a viable option if it does what I anticipate the content creator shows. I can use a custom bootloader asking which user.
This isn't even a suction I thought of or was possible. I'll definitely watch this once the spongy thing in my skull boots up fully.

 

[SyCoREAPER]

I suppose the other question is more an ethical one - if the computer belongs to the OP's parents then they can do whatever they want. I'd want to know exactly what role the OP is playing here. Did their parents ask for help, or are they being directed by the OP?

(edit that sounds combative but isn't meant to be, still waking up) My role is I'm am their "child" and though I'm reaching my limit, if they ask for me to fix something they can't, I do. They provided for me when I was a child and I'm repaying the same implied courtesy and help in the ways I can. So in short, they want it fixed but I want to fix it but also fix it so I can easily do so without a ton of work each time.

Right.

A LOT of questions like this need a social solution, rather than a technical one.

There are probably a lot of ways to do what the OP wants.
But given the same PC, a sufficiently motivated geek teenager will get around all that, and continue to screw up the family PC.

Give him his own hardware.
"You get one and only one 'FIXIT' from me....after that, that system is all yours"

Thats the issue, given I don't know if it's my brothers when they come over or some other person, there is the potential of a motivated individual in this case. If I'm going through all this I want to think it though throughly a do it right the first time.

I pushed the hardware narrative but my parents didn't go for that. That's where they pushed back on the suggestions.

I think @lantis3 suggestion may be a viable alternative to the approach I had in mind.

 

[USAFRet]

Thats the issue, given I don't know if it's my brothers when they come over or some other person, there is the potential of a motivated individual in this case. If I'm going through all this I want to think it though throughly a do it right the first time.

I pushed the hardware narrative but my parents didn't go for that. That's where they pushed back on the suggestions.

I think @lantis3 suggestion may be a viable alternative to the approach I had in mind.

Depending on what this user is doing with the system, a VM may not be acceptable.

Gaming in particular, can have issues with giving the full desired performance.

And ultimately, given physical access to the system....said person WILL circumvent this VM solution.

 

[SyCoREAPER]

Depending on what this user is doing with the system, a VM may not be acceptable.

Gaming in particular, can have issues with giving the full desired performance.

And ultimately, given physical access to the system....said person WILL circumvent this VM solution.

It's not a gaming machine, just casual use and indeed it is possible it could be circumvented still but I'm going to lock the BIOS so that's inaccessible. The custom bootloader solution will act as a profile selector, I won't have the real Windows show in the bootloader, that will only be accessible with my USB boot disk and Windows login prompt will be set to NT style asking for UN and PW so it can't be guessed.

The only way around this is if the individual is smart enough to use their own boot solution. My counter to that is, my parents are going to be more aware when someone's on it and not spy but glance.

The real Windows and browsers, etc, will have a different appearance from the VMs that will be an instant red flag.

I know all this is really over the top to an outside party and may seem like a lot of work but constantly rebuilding Windows, each profile, making sure all files are accounted for, all installed applications, icons where they were before.. It's too much work.

 

[USAFRet]

I know all this is really over the top to an outside party and may seem like a lot of work but constantly rebuilding Windows, each profile, making sure all files are accounted for, all installed applications, icons where they were before.. It's too much work.

That is EASILY prevented with a good backup routine.

If any or all of my drives were to die or be compromised right now, I could recover each or all of them to the exact state they were in the wee hours of this morning.

Every day.

No reinstall, no hunting for files or applications, nada.
Full drive backup and Incremental images....click click, wait an hour, done.

 

[SyCoREAPER]

That is EASILY prevented with a good backup routine.

If any or all of my drives were to die or be compromised right now, I could recover each or all of them to the exact state they were in the wee hours of this morning.

Every day.

No reinstall, no hunting for files or applications, nada.
Full drive backup and Incremental images....click click, wait an hour, done.

I'm not there daily let alone frequently enough to maintain a routine and they don't have the storage for me to do that.

That's also where the no hardware is the issue, they said no extra gadgets and theyre not spending any money (neither am I). The laptop is already populated with the sole m.2 which isn't big enough for a backup, which goes back to needing a bigger drive to partition for the backuos which means money.

I'm in a cramped situation trying to be creative with what I have at my disposal so I'm not dismissing any of these posts suggestions as bad, just unfortunately not an option in my unique situation.

 

[USAFRet]

I'm not there daily let alone frequently enough to maintain a routine and they don't have the storage for me to do that.

That's also where the no hardware is the issue, they said no extra gadgets and theyre not spending any money (neither am I). The laptop is already populated with the sole m.2 which isn't big enough for a backup, which goes back to needing a bigger drive to partition for the backuos which means money.

I'm in a cramped situation trying to be creative with what I have at my disposal so I'm not dismissing any of these posts suggestions as bad, just unfortunately not an option in my unique situation.

You're in a tough spot.

Try the VM solution as above.

 

[lantis3]

VHD is better option in my opinion. VM solution requires additional licenses.

I setup automatic VM launch solution using profiles in the past for my sister's family members and they still prefer the physical machine and comingle their logins and it became a mess yet again eventually.

Of course they have individual PC now.

 

[NedSmelly]

A few other possible solutions, in a nutshell:

1. Parents migrate to cloud-based storage for critical files, and turn on 2FA for access
2. Lock the laptop in a secure cabinet/safe when not in use, and when visitors present
3. Boot to Hyper-V instance on an external drive (another link here)
4. Migrate to portableapps.com on thumb drives