Some Progress: Windows 7 (with Qubes Windows Tools) in Qubes OS 3.1 (Full Desktop Mode works)

[piitb...@gmail.com]

Hello,

after spending some more hours trying to figure out what breaks my windows 7 VM as soon as I install the Qubes Windows Tools, I would like to share what I found out so far.

In short:
It seems that the installation of the "Qubes GUI Agent" within the Qubes Windows Tools create some kind of problem on the Windows 7 VM, as this triggers if I can use the VM or not.

More detailed description to revalidate my experience.
(as this is targeted also at newbies, which will find this via Google, while troubleshooting, I have included every step), sorr :-)


Install a Win7 VM in Qubes OS 3.1
=================================

- Create Windows VM
qvm-create win7 --hvm --label orange

- Increase initial RAM and max RAM to 4GB (4096)

- Install Windows from .ISO
qvm-start win7 --cdrom=/home/piit/Downloads/windows_7-Pro-64bit-DE.iso

- Several reboots (=restarts) until Windows is running

- Start VM as final test -> GUI available?
qvm-start --debug win7

- Clone VM to have a working copy if you screw up during the next steps (win7-plain)

- Install qubes-windows-tools
qubes-dom0-update --enablerepo=qubes*testing qubes-windows-tools
or:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools

- Disable User Login
Start > cmd.exe (as Administrator)
netplwiz
Uncheck "Users must enter a user name and password to use this computer"
Double check that change have been applied
Reboot (Login should happen automatically)

- Launch windows with Windows Tools ISO
qvm-start win7 --install-windows-tools

- Copy Windows Tools to c:\tools

- Allow unsigned drivers (as described in the Readme.txt)

- Increase Timeout
qvm-prefs -s win7 qrexec_timeout 300

- Install Qubes Tools for Windows
- disable: Xen PV Disk Drivers
- disable: Qubes GUI Agent
will ask for a restart after installation

- Next startup will show an information windows:
"Qubes Tools for Windows
Qubes private disk image initialized as disk D:.
User profiles directory will be moved there during the next system boot.
[OK]"
Choose "Restart Now"

- On next startup a few command messages will appear, then the desktop is available
If you check the application menu in Qubes OS, you will find all Windows available there :-)

- Clone the VM to have a working backup, if you screw up your VM during the next steps (win7-ready)

- Restart win7 VM and launch the "Qubes Tools for Windows" Installer again
(c:\tools\qubes-tools-WIN7x64-3.0.4.1.msi)

- Choose "Change" and install "Qubes GUI Agent", which we have disabled during the first start.

- Open VM Settings and check under the "Basic" Tab if "Seamless GUI" is disabled

- Restart VM and check what happens. In my case the VM was booted into seamless mode (even when this was deactivated in the settings)

- Try to start a windows application from the Qubes OS menu, like Calculator. In my case the icon showed a little bouncing calculator-icon, but no app came up.

- Shutdown VM via right click in Qubes VM Manager. As this didnÄt work within 20 seconds I choose the option "Kill VM" in the popup-window

- Try to restart VM in debug mode "qvm-start --debug win7"
which leads to a Bluescreen of Death with the message:
"Quota Underflow"

- At this point I have purged my VM and startet the Clone VM (win7-ready).


Any suggestions if the problem is on my site (misconfiguration at some point) or within the Qubes Windows Tools package (especially the "Qubes GUI Agent")?

At least I'm glad to have Win7 running in "Full Desktop Mode".

regards

- Piit

[x...@xet7.org]

Hi,
I used nearly same instructions, but with these differences:
- I used Win7 64bit English version .iso
- I did not use debug mode when installing
- I did use 1GB (1024MB) RAM for Win7 VM, not 4GB
- I installed Qubes GUI Agent at first install, not in multiple steps.

For getting network connection working:
- I disabled Qubes network service from Services
- I setup Win7 IP address manually from Win7 network settings to same that is shown at Qubes-manager Win7 VM settings, using IPv4. I did disable IPv6 on Win7.

Maybe Qubes tools installer has option to not install Qubes network service, because network in Win7 did work before installing Qubes tools. I did not check.

I did use Qubes-manager also to uncheck seamless mode, as you did.

For getting my USB headset working and sound going there, I used Konsole to start pavucontrol GUI in dom0. I do not remember was pavucontrol already installed, or did I install it to Fedora23 template and then shutdown Fedora23 template and update dom0 with Qubes-manager.

I did get TeamViewer only working in Win7 VM, not on Linux VMs.

For getting Skype installed to Debian 8 Standalone AppVM, I needed to do:
sudo dpkg --add-architecture i386
sudo apt-get update
sudo dpkg -i skype*.deb
sudo apt-get -f install

Dropbox did have 64bit .deb for debian.

I'll probably later try to contribute these as pull requests to Qubes documentation.

I'm not sure, but could "Quota Underflow" mean that you have somewhere too little diskspace left? On Qubes-manager Win7 VM settings you can add space. I did not get that error.

BR,
xet7

[x...@xet7.org]

More details I forgot to add when installing Win7 Pro 64bit English.
These tips are originally from yesterday's this show and it's IRC chat:
https://twit.tv/shows/security-now/episodes/551?autostart=false

When installing Win10, there's this article about disabling possible upgrades to Win10:
https://support.microsoft.com/en-us/kb/3080351

But to make the changes more easily, I did use GWX Control Panel standalone executeable from this address, it has GUI button to disable updates:
http://ultimateoutsider.com/downloads/

Then I did use this article to update Windows Update agent to newest version, so that Windows Update works in Windows GUI:
https://support.microsoft.com/en-us/kb/949104
and also used link in update window that enabled updates also for other products than Windows.

When installing updates, it's good to first install primary updates, and after that optional updates. On optional updates, if you want Microsoft Security Essentials, install new this year's 2016 update from Windows Update for it, not the older one.

BR,
xet7

[piitb...@gmail.com]

Hello,

thank you for the detailed feedback, I think it would really be great to have a wiki to create a documentation more easy (even more with several editors).
Data could then migrate to the official documentation if it has reached a more mature level.
wiki.qubes-os.org / or as an own website cubes-os-wiki.org .. a quick'n dirty tikiwiki would do the trick.
Anyhow ...

Am Mittwoch, 16. März 2016 20:55:57 UTC+1 schrieb x...@xet7.org:

 

For getting network connection working:

- I disabled Qubes network service from Services
- I setup Win7 IP address manually from Win7 network settings to same that is shown at Qubes-manager Win7 VM settings, using IPv4. I did disable IPv6 on Win7.

Maybe Qubes tools installer has option to not install Qubes network service, because network in Win7 did work before installing Qubes tools. I did not check.

I did use Qubes-manager also to uncheck seamless mode, as you did.

Network was working out of the box, but strangely I can't dowload updates via Portable Update (my favorite tool to update a windows client when no local WSUS server is available).
I tried to install the updates via "Search for Updates" but after a while I got tired looking at the "Searching for Updates" message and abort the operation.

How did you manage to get Updates working?
 

For getting my USB headset working and sound going there, I used Konsole to start pavucontrol GUI in dom0. I do not remember was pavucontrol already installed, or did I install it to Fedora23 template and then shutdown Fedora23 template and update dom0 with Qubes-manager.

 
I think you're talking about Fedora not the windows VM as I found the information that audio will not work in windows.
Audio was working out of the box (PC speakers) in my "Untrusted VM" which I use for Youtube & Co.

I'm not sure, but could "Quota Underflow" mean that you have somewhere too little diskspace left? On Qubes-manager Win7 VM settings you can add space. I did not get that error.

I don't think so, as a plain installation should not use up 20GB.

[x...@xet7.org]

keskiviikko 16. maaliskuuta 2016 22.31.10 UTC+2 piitb...@gmail.com kirjoitti:
> Hello,
>
> thank you for the detailed feedback, I think it would really be great to have a wiki to create a documentation more easy (even more with several editors).
> Data could then migrate to the official documentation if it has reached a more mature level.
> wiki.qubes-os.org / or as an own website cubes-os-wiki.org .. a quick'n dirty tikiwiki would do the trick.

For me, I think additional wiki would be duplication of effort, and more maintenance. Wikis get spammed easily. My previous pull request to Qubes documentation was accepted, and there's info about contributing etc at https://github.com/QubesOS/qubes-doc .

> Network was working out of the box, but strangely I can't dowload updates via Portable Update (my favorite tool to update a windows client when no local WSUS server is available).
> I tried to install the updates via "Search for Updates" but after a while I got tired looking at the "Searching for Updates" message and abort the operation.
>
> How did you manage to get Updates working?

First I activated Win7 with phone as normally before. Then I updated Windows update agent etc as I detailed in my 2nd reply to this thread, beginning with words "More details...". In Windows Start menu I searched for update, and used Windows Update window to install updates, not webbrowser like IE.

>  
> For getting my USB headset working and sound going there, I used Konsole to start pavucontrol GUI in dom0. I do not remember was pavucontrol already installed, or did I install it to Fedora23 template and then shutdown Fedora23 template and update dom0 with Qubes-manager.
>  
> I think you're talking about Fedora not the windows VM as I found the information that audio will not work in windows.
> Audio was working out of the box (PC speakers) in my "Untrusted VM" which I use for Youtube & Co.

Yes I'm talking about Debian and Fedora VM's here, I have not tested sound with Windows HVM yet. Probably it would work when adding USB device like USB headset or Bluetooth adapter that would connect audio.

> I'm not sure, but could "Quota Underflow" mean that you have somewhere too little diskspace left? On Qubes-manager Win7 VM settings you can add space. I did not get that error.
>
> I don't think so, as a plain installation should not use up 20GB.

Basic install for me did take about 11 GB when I did backup, before adding Qubes tools etc.

BR,
xet7

[piitb...@gmail.com]

Am Mittwoch, 16. März 2016 21:53:19 UTC+1 schrieb x...@xet7.org:

> How did you manage to get Updates working?

First I activated Win7 with phone as normally before. Then I updated Windows update agent etc as I detailed in my 2nd reply to this thread, beginning with words "More details...". In Windows Start menu I searched for update, and used Windows Update window to install updates, not webbrowser like IE.

Have you enabled "Automatic Installation of updates"?

I have deactivated this, as I want to search manually for updates to have more Control.

From other postings in this Group I found out that Manual update search seems to be broken, while it works when "Automatic Updates" are enabled.

Which settings are you using?

- Piit

[piitb...@gmail.com]

I have switched updates to automatic and left the windows VM running for a few hours.
The status was always "Searching for Updates" but when I finally decided to gave and launched the shutdown command, I saw that 150 updates will be installed.

After the updates installed, i restarted the VM twice and then suddenly the "New Updates are availabe" Icon showed up in the taskbar and I am able to install those updates.

Summary, un case your windows VM is not downloading windows updates manually:

1. Install the latest version of Windows Update Agent from
   https://support.microsoft.com/de-de/kb/949104
   
2. Enable automatic updates
3. Run a manual search for updates and leave it running for some time
4. shutdown the VM after a while, during shutdown you will get the information that new updates are waiting for installation
5. After those Updates are installed, restart the VM once or twice
6. On the next reboot the Windows Taskbar Icon should say that other updates are available.
7. Install those and reboot
8. Repeat until no Updates are left
   

[x...@xet7.org]

Hi,
if I remember correctly, I intalled new updater, enabled automatic updates, searched for updates then manually on update window (not browser), installed primary updates and then secondary updates etc.

BR,
xet7

[Deviant]

Hi Guys

Not sure if you managed to resolve the problem, I have however managed to get it working using the steps you used.

One thing that I did notice, it only seemed to work as expected once debug mode and seamless mode was enabled. As soon as I disable debug mode the apps open on the desktop of the HVM and not the Qubes Desktop as expected with an AppVM.

[piitb...@gmail.com]

Hello,

Am Montag, 28. März 2016 20:47:18 UTC+2 schrieb Deviant:

(...)

Not sure if you managed to resolve the problem, I have however managed to get it working using the steps you used.

One thing that I did notice, it only seemed to work as expected once debug mode and seamless mode was enabled. As soon as I disable debug mode the apps open on the desktop of the HVM and not the Qubes Desktop as expected with an AppVM.

Please also check the following topic which also includes some information about the problem with Seamless Mode.
https://groups.google.com/forum/#!msg/qubes-users/Ia73yb4lCGA/FxvzblPhCAAJ

I did some more research and found a direct connection between Display Resolution in Dom0 and the seamless mode feature in my Win7 HVM.
Even more important, it seems that the windows 7 HVM runs into problems depending on the resolution.

To be more specific:

• My Laptop has a native resolution of 2880x1620 Pixels, which works perfectly in Qubes OS.
• Before installing the Qubes Windows Tools I have set the display resolution in my Windows 7 HVM to 1280x1024 Pixels.
• If I change my resolution in Dom0 to 1280x1024 Pixels via ...
  
  [piit|dom0 ~]$ xrandr --output eDP1 --mode 1280x1024
  
  ... and disable Debug Mode and enable Seamless Mode, seamless mode is working.
  I can also start in Desktop mode, if I disable seamless mode and enable Debug Mode.
  Problem: I can start windows apps from the Qubes OS menus, but I can't shutdown the windows 7 vm via Qubes Manager (Right Click, "shutdown VM") but need to Kill the VM.
  
• If I try to start my Windows 7 HVM with my native resolution in dom0 the VM starts in seamless mode, but nothing happens.
  If I boot with Debug Mode enabled and seamless disabled I get stuck and the end of the windows boot logo.
  As above I can't shutdown the VM but need to kill it.
  As soon as I switch to the 1280x1024 resolution via xrandr the VM boots up and works.
  Debug Mode = Desktop mode and also seamless mode is working. Shutting down the VM via Qubes Manager is NOT working.
  

Conclusion:
There seems to be a "side effect" regarding the display resolution in dom0 and the windows 7 HVM.

The Lenovo W540 has also a dedicated graphic card (the NVIDIA Quadro K2100M) which doesn't work out of the box with Qubes OS.
As I don't need the dedicated graphic performance and prefer to learn more about what works in Qubes OS without messing arround with drivers, I would like to disable the nvidia graphic card or would at least make sure that qubes os is not using it.

Question:
How can I make sure that the nvidia graphic card is not involved in this topic?

Next:
I'll delete my windows 7 hvm and create a new one where I will set the resolution within the windows 7 VM to 2880x1620 so that it mirrors my native resolution which I is my default resolution in dom0.
My idea is that seamless mode only works if resolution in windows and resolution in dom0 are equal.

- Piit

 

[Marcus at WetwareLabs]

Piit,

thanks for your investigation and nice tutorial!

Have you managed to get Windows HVM into real full screen mode without installing Windows Tools GUI? Setting allow_fullscreen=true in /etc/qubes/guid.conf does not seem to enable it anyway (it stays grayed out on window bar -> More actions -menu). 

I have dual monitor setup (1920x1200 Displayport-0 and 1920x1080 DVI-0), but  I've managed  to install GUI tools (as you did) by only setting dom0 resolution the same as in Windows and detaching the other monitor. As soon I add the other monitor, Windows wouldn't start no matter if seamless mode is on or off.   HOWEVER if I add the 2nd monitor only AFTER starting Windows, it works nicely and I can use Windows both in full screen mode (in 1st or 2nd monitor) or in seamless mode. Also switching between seamless and normal mode from VM Manager is possible in real-time :)

Some things I noticed (only 1 monitor in use):

- some of the Windows Updates have incompatibilities with QWT. Whether Network Tools are installed or not, DHCP would not work, but manual configuration would resolve situation. 

- Seamless mode starts anyway even if it is not enabled in VM Manager when the VM is booted the first time after GUI tools installation. After that, it boots as it is configured in VM manager.

- starting in seamless mode is very erratic (about 50% of the times the startup fails and restart is needed).

- starting without seamless mode works slightly better (starts in full screen by default but works as windowed as well), but can get stuck as well during boot

- shutdown from VM Manager does not work (seamless or not), but "shutdown /s /t 0" from windows command line works even in seamless mode

After changing between seamless and normal modes and booting few times, the VM would not start anymore (stuck at Starting Windows screen). Only after many restarts between normal and safe mode (which works), would normal mode boot again..

Here are attached logs from one of the times it was stuck during boot (one monitor):

http://txt.do/5bcf7

http://txt.do/5bcf2

http://txt.do/5bcfv

http://txt.do/5bcfn

http://txt.do/5bcfw

http://txt.do/5bcfb

http://txt.do/5bcf3

http://txt.do/5bcfi

and logs when starting with two monitors (always gets stuck):

http://txt.do/5bcp6

http://txt.do/5bcpj

http://txt.do/5bcp4

http://txt.do/5bcpl

http://txt.do/5bcpq

http://txt.do/5bcpc

http://txt.do/5bcpm

http://txt.do/5bcph

http://txt.do/5bcpx

http://txt.do/5bcpu

http://txt.do/5bcpf

http://txt.do/5bcpz

I noticed there was 2 different log files for qga and 4 for qrexec-wrapper. But I deleted all logs in safe mode before starting VM in normal mode, so these logs should be only from one run.

I noticed that behaviour got more erratic after setting more verbose log levels (5) and sometimes it would BSOD as well (SYSTEM_SERVICE_EXCEPTION, STOP: 0x0000003B (...) ). Maybe race condition? I can send dump files and Xen logs somewhere also if you're interested.

Using Q3.1 with stock kernel 4.1.13-9 and latest QWT (3.0.4-1). HW: Intel i7-5820K with Asrock X99 WS. GFX card is GTX980 with stock Nouveau driver.