Rob - you won't have a lot of fun with truecrypt and vmware if you have to follow my tips only.
Lets see that you understand yourself ...
VMware has this "services" in registry:
vmx86
VMAuthdService
VMnetuserif
VMnetAdapter
VMnetBridge
hcmon
vmusb
"VMware NAT Service"
VMnetDHCP
vmount2
vstor2
vstor2-ws60
vmkbd
Each of them has a start-entryin registry that looks like this
"Start"=dword:00000003
The safe setting is 3 - this will not start automatically - which gives you the time to mount something ike a truecryptcontainer first.
Export these keys - then you can always go back to factory defaults:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\hcmon
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMAuthdService
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\vmkbd2
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMnetAdapter
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMnetBridge
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMnetDHCP
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMnetuserif
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\vmount2
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMware
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VMware NAT Service
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\vmx86
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\vstor2
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\vstor2-p2v30
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\vstor2-ws60
Some of these services are started from the windows-systemdrive in a normal installation.
You can't run them from a truecryptcontainer "easily"
The procedure I try to explain runs the VMware-install-directory and the VMs from a truecrypt-container.
This is the easiest way - but it is not complete - you still have about 12 MB files in windows-directory and about 10 MB in the common program files directory.
If you can live with that 
- the handling becomes easy as you can leave everything as it is.
Hmmm - for the uncomplete - but simply variant you don't need any of that batchs or registry patches ...
Rob - are you seriously intetrested in automounting a truecrypt-container at windows-start for VMware-use?
I could use that for my LiveCD as well ...
Feel invited to get on my nerves and remind me to finish it - not kidding - otherwise I;m to lazy
Ulli
OK getting lost along lines. Let see how I understanding this:
Some of these services are started from the windows-systemdrive in a normal installation.
You can't run them from a truecryptcontainer "easily"
Are you trying to say that:
1) blocking services or (?) activating them with batch after boot would be bad for system (because they are system files)?
2) some services are not needed because are used only during installation therefore activating all make no sense?
3) or yet something else?
I mean I have very little understanding about coding and system architecture (its obvious from this dicussion that we are on different levels) and wouldn’t really like to involve you in writing 3 page reply poem LOL. If it’s too hard to explain Ill just live with it – anyway don’t understand statement.
The procedure I try to explain runs the VMware-install-directory and the VMs from a truecrypt-container.
OK I think I mistakenly made wrong statement in previous post. Are you trying to say it is batch file which will disable services, no need to do anything manual?
This is the easiest way - but it is not complete
Getting your word for it in both aspects.
you still have about 12 MB files in windows-directory and about 10 MB in the common program files directory.
If you can live with that - the handling becomes easy as you can leave everything as it is.
Hmmm - for the uncomplete - but simply variant you don't need any of that batchs or registry patches ...
I thought that from previous replies: best (even impractical) would be to use live CD simply boot from it, than access hidden container and run VMware from it – another words (should TrueCrypt be used) - total deniability. This would guarantee that it would not even be possible to guess that encrypted container could have entire hidden OS. Encrypting Virtual Machine only on other hand would not create deniability at all, since very presence of VMware implies existence of guest OS. Coinciding presence of VMware with existence of large encrypted files/drives (where entire volume is written with random gibberish – easy to spot) would suggest hidden virtual machines and OSs. Encrypting Vmware’s Program File folder even would not achieve deniability, it would (hopefully - ???) provide some obscurity, as presence of VMware on system would not be obvious at first sight. Therefore adversary could not be hopefully suspecting existence of virtual machines after casual examination. I really lack understanding about traces in Window directory and Common Programs. If they do have access dates all above is correct. If not it still would be possible to claim (yeah I have it once but get rid of it long ago). I am guessing however that combined 22MB will have plenty of dates.
Rob - are you seriously intetrested in automounting a truecrypt-container at windows-start for VMware-use?
I could use that for my LiveCD as well ...
Feel invited to get on my nerves and remind me to finish it - not kidding - otherwise I;m to lazy
LOL. “ Dear Santa! Could you please finish it? I would do it myself except I don’t know how. I can’t promise I will be good boy whole year but I will try my best..” 
)
As I said personally I don’t have any strong motivation to need something like this and definitely wouldn’t like to make you involved in spending your time just for me LOL. If it’s easy to do – definitely! Why not. I thought you were saying that ;live CD option already exists. If its not, personally I still would like to have this option even if I would to never use it.
I just finding entire concept very fascinating. I mean, think about it. Totally invisible and deniable OS is AFAIK entirely new never heard before (unless you NSA, KGB or CIA) concept. I mean it still would be possible to prove you have it, should you be spy or terrorist and someone bother to triangulate your wireless signal or go down the path MAC to MAC down entire packet route. But even taking this into account locating and breaking deniability would be extremely difficult, especially if you would additionally combine usage with something like TOR,…plus of course understanding of things like third party cookies, scripts, flash cookies, URL arguments etc etc (I mean good luck tracing TORs route through 3 continents and 150 hops or so it makes – even taking into account that it is known that TOR routers seems more and more subject of interest for: evil/questionable entities and let me guess who else…NSA? ..(scratches my head thinking) – have your own guesses ). Since disciplined usage of VMware protects in 100% from penetration from outside, TOR protects anonymity and True Crypt would cover for physical access penetration – you are getting really (James Bond like), powerful tool.
What would such a tool be to a world?
Probably blessing for political decedents, wish come true for free speech right defenders and predictably by necessity, as always, avenue for all sort of trolls and evil/questionable characters.
Quoting Steve Gibson from GRC: Freedom of speech just doesn’t comes for free. Yet at the same time on a long run it is beneficial and cannot be achieved unless people using Internet and making statement are absolutely certain their action will be free from any consequences”.
Even I have tons of respect and warm feelings for Steve Gibson I myself have mix feelings about this statement: neither agreeing not disagreeing with it entirely. In any case even I understand NSA tries to protect us from some religious fanatics trying to annihilate us, I definitely do not like the very manner (no court warrant) in which NSA operates. It just gives me chills, that as I writing this very post, somewhere in some cubicle there might be someone reading all this and who knows maybeordering wire typing and electronic surveillance. Sad part is it is all not that unrealistic at all. Should such a tool be possible definitely would like to have it. If for no other reason, just for sake of having it.
o O (I hope I don’t turn this tread into political discussion).
PS.
Since its 10.09 pm here and Im guessing you are in Germany, its probably 4 am where you are. Will continue discussion tomorrow!
Hi Rob - no timeout for interesting stuff during holidays
wish there were more discussions like this
Where do we start ?
Hmmm - a regular VMware-application installation leaves traces.
1. registry
2. windows\system32
3. VMware-install-directory - which defaults to C:\program files\vmware\vmware workstation\
4. common files directory - C:\program files\common files\vmware\vmware virtual image editing
5. common files directory - C:\program files\common files\vmware\vmware virtual machine importer
6. C:\documents and settings\All Users\Application Data\VMware
7: C:\documents and settings\user\Application Data\VMware
8. directory where the VMs are
9. pagefile
In a regular install every of first 7 "points" are on the systemdrive and so can not be used from a truecrypt-container - while it is no problem to have the VMs itself in a tc-container.
The LiveCD I maintain is the cleanest way to hide traces in the first 7 "points" - as the LiveCD loads the system into RAM there will be no traces after shutdown.
Putting the VMware-install-directory (3) into a truecrypt-container is the easiest way to use truecrypt. But of course that is incomplete. To do this you don't need to do anything special. Just make sure you always load the truecrypt-container BEFORE you start VMware.
Putting the common files directory into a truecryt-container (4 + 5) is a little bit more tricky. You either need to redirect the directories into a truecrypt-container with junctions - or patch registry and completely redirect those paths.
Putting C:\documents and settings\All Users\Application Data\VMware (6) into a truecrypt-container is possible when you use junctions.
Putting C:\documents and settings\user\Application Data\VMware (7) into a truecrypt-container is possible too - with junctions. - or probably even better by redirecting the complete home dir of a user into the tc-container. Both is possible - just a little bit advanced maybe ?
Leaving no traces in the pagefile is beyond my knowlege - the best you can do is to configure the VMs so that they use a namedFile instead of the pagefile.
Leaving no traces in windows\system32 is not possible with a default installation - but can be done manually if you are a hardcore user. Or in other words - I know how to do it but it is a lot of work - nothing for guys that are afraid of hacking registry
Leaving no traces in registry is very, very tricky. Windows writes a lot of "background-noise" into the registry ... Best you can do here is do a good cleanup.
I guess that if I have a good day I would be able to cleanup without leaving traces in maybe an hour of manual work. Writing an automatic cleanup that is complete enough to cheat a smart guy from NSA is beyond my skills I guess.
So lets sum up our options:
1 LiveCD with fully encrypted disks:
- very easy to do - best variant if you want to hide existance of VMware-apps and VMs - needs reboot
2. VMs in tc-container:
- very easy to acchieve - incomplete - no reboot - no cleanup
3. VMs in tc-container with registry-cleanup of traces of used VMs:
- easy to acchieve - incomplete - no reboot - needs to run a batch after use
4. VMs AND VMware-install-dir in tc-container
- needs some extra work - still incomplete - no reboot
5. VMs and all VMware-files in tc-container
- tricky - incomplete - no reboot
6. VMs and all VMware-files in tc-container with cleanup after use
- very tricky - no reboot
If you look at your options I think only 1, 2, 3 and 6 really make sense - as the traces you leave in windows-dir and common-files dir don't reveal much of what you have done in last session.
An investigator would just notice that you have VMware installed and maybe used it recently.
Lets look at 6. ... hmmm - if you really are so paranoid or criminal - why don't you use the LiveCD ? -
In the LiveCD I have a kiosk-mode that automatically launches a VM - or some VMs.
The LiveCD also has a cheatcode "tc" which uses a truecrypt-container for the home-directory.
This cheatcode needs manual mounting of the tc-container.
I have an automatic that starts "truecrypt.exe" - and loads a container and enters the password on my todo-list since a while - so I planned to use an autoit-script that clicks through the procedure anyway ...
Hey - its pretty useful to discuss this - ask questions please
LOL - You made last post yesterday at 12.32 am EST- USA. I assumed you must have gone sleep.
Wow! You go quite length to find, think and cover all this
Where do we start ?
+Hmmm - a regular VMware-application installation leaves traces.+
1. registry
2. windows\system32
3. VMware-install-directory - which defaults to C:\program files\vmware\vmware workstation\
4. common files directory - C:\program files\common files\vmware\vmware virtual image editing
5. common files directory - C:\program files\common files\vmware\vmware virtual machine importer
6. C:\documents and settings\All Users\Application Data\VMware
7: C:\documents and settings\user\Application Data\VMware
8. directory where the VMs are
9. pagefile
In a regular install every of first 7 "points" are on the systemdrive and so can not be used from a truecrypt-container - while it is no problem to have the VMs itself in a tc-container.
I see. Now I understand what you meant in previous post by “you can’t run them un normal installation from True Crypt easily “.
The LiveCD I maintain is the cleanest way to hide traces in the first 7 "points" - as the LiveCD loads the system into RAM there will be no traces after shutdown.
I wasn’t sure from previous post reading between different statements does live CD is already existing option or future plan. It seems clear from this reply that it is existing option – which is very cool. I’m not sure why you excluded point number 8? If directory of VMs (which if I understand correctly is just folder where VMs are stored) would be located on encrypted drive that would include 8 – correct? Also I think, with some extra steps (possibly this would require adding some extra code) it could be possible to either automatically disable pagefiling, or at least disable it manually just before True Crypt container is opened (future comment added below will probably make it clear). In any case does using live CD offers total or nearly total invisibility/deniability – its just great that this very option even exists.
Putting the VMware-install-directory (3) into a truecrypt-container is the easiest way to use truecrypt. But of course that is incomplete. To do this you don't need to do anything special. Just make sure you always load the truecrypt-container BEFORE you start VMware.
Well actually if I understanding this correctly and if by “putting VMware install directory (3) into trucrypt” you mean defining path to True Crypt encrypted container (where Vmware folder is to be installed) - I think this would require batch file. I did test this exact scenario and was mounting volume each time before VMware was started. Problem part was (as mentioned before) finalizing installation with reboot which spells to: TrueCrypt container has to be dismounted, system restarted and after it is fully started encrypted volume can be mounted again. Starting Virtual machine afterwards produces error (don’t recall it’s very exact wording but it does directly refers to: “have you rebooted VMware after installation”).
Putting the common files directory into a truecryt-container (4 + 5) is a little bit more tricky. You either need to redirect the directories into a truecrypt-container with junctions - or patch registry and completely redirect those paths.
Putting C:\documents and settings\All Users\Application Data\VMware (6) into a truecrypt-container is possible when you use junctions.
Putting C:\documents and settings\user\Application Data\VMware (7) into a truecrypt-container is possible too - with junctions. - or probably even better by redirecting the complete home dir of a user into the tc-container. Both is possible - just a little bit advanced maybe ?
Well getting your word for it. Don’t understand exact difference between: junction and redirecting – and what more important its implications in producing: stealth/obscurity (?).
Leaving no traces in the pagefile is beyond my knowlege - the best you can do is to configure the VMs so that they use a namedFile instead of the pagefile.
I think usage of True Crypt faces exact same problem and it’s documentation explains how pagefiling can be easily turned off:
http://www.truecrypt.org/docs/paging-file.php
Leaving no traces in windows\system32 is not possible with a default installation - but can be done manually if you are a hardcore user. Or in other words - I know how to do it but it is a lot of work - nothing for guys that are afraid of hacking registry
As long as it possible LOL. IMO people are generally are being put to fear of God by statements in tone: “Thou shall not touch thou registry yet your PC might die suddenly”. Well (unless I’m wrong – correct me) this seems to be not entirely reflecting reality statement. Not that much PC will die as Windows might. Since it’s possible to back up both entire registry and even entire OS and both back up and restoration processes are fast and painless – why worry should OS become catastrophically corrupted. After all should it die, its easy to restore its exact state from image done before any changes has been applied to registry (with for instance something like this free and extremely easy to use program: http://www.drivesnapshot.de/en/ )
Leaving no traces in registry is very, very tricky. Windows writes a lot of "background-noise" into the registry ... Best you can do here is do a good cleanup.
I guess that if I have a good day I would be able to cleanup without leaving traces in maybe an hour of manual work. Writing an automatic cleanup that is complete enough to cheat a smart guy from NSA is beyond my skills I guess.
Well, producing NSA-proof stealth would be of course the best - there is nothing like peace of mind that something is simply not physically possibly. On other hand, from practical stand point, producing good obscurity has its strong value too. After all (despise making jokes), how likely it for average Joe to have need achieving NSA-poof stelth . I think besides being spy, criminal or terrorist there are thousand other reasons for which someone average could seek OS stealth: as penetration of host OS from network, girfriend/boyfriend coworker/boss having access to PC, stolen data etc. Despise fact that making OS invisible would not alone produce neither privacy nor security (after all someone hacking PC or having physical access to it could install Trojan/spyware), at the same time should you restore host OS and data files from image every time there is suspicion that system could have been compromised – it would be extremely unlikely that potential intruder could even suspect that system hosts entire OS which is invisible.
3. VMs in tc-container with registry-cleanup of traces of used VMs:
easy to acchieve - incomplete - no reboot - needs to run a batch after use
Not sure is by “easy” you assuming some previously implemented automation. I think you stated previously that it would take an hour of manual work. Also would it be safe to run search in registry for “Vmware” and delete anything found without corrupting VMware of course (guessing NO – however just to be sure)?
If you look at your options I think only 1, 2, 3 and 6 really make sense - as the traces you leave in windows-dir and common-files dir don't reveal much of what you have done in last session.
An investigator would just notice that you have VMware installed and maybe used it recently.
Lets look at 6. ... hmmm - if you really are so paranoid or criminal - why don't you use the LiveCD ?
o O (if Ulli thinks I’m criminal LOL, I wonder what NSA guy who possible reads it thinks (should their automat filter flagged me somehow and someone does). I guess I can expect to have my PC taken apart any day, while being put to sleep with poisoned micro dart shot from gun disguised as umbrella by guy in dark glasses and dark coat. Oh well, gotta stay brave for public cause :P)
LOL for time being I guess, as said before, it is great that live CD option even exists. I guess all decedents (and criminals LOL) can be happy. 😛
In the LiveCD I have a kiosk-mode that automatically launches a VM - or some VMs.
The LiveCD also has a cheatcode "tc" which uses a truecrypt-container for the home-directory.
This cheatcode needs manual mounting of the tc-container.
And that’s probably all which ever be needed.
I have an automatic that starts "truecrypt.exe" - and loads a container and enters the password on my todo-list since a while - so I planned to use an autoit-script that clicks through the procedure anyway ...
Wouldn’t this defy purpose of using True Crypt? If password is inputted automatically having copy of live CD alone would be sufficient to access VMs. I mean I’m not sure I correctly guessing how your disk works – I haven’t checked it yet. Does it allows to use/store virtual machines already created natively on hard disk and stored for instance in True Crypt container (to which password need to be than inputted) or does it allow to load only some predefined VM stored on live CD? In first scenario I guess ability to manually inputting password (as oppose to automated mechanism) would probably be preferable scenario. In second one I guess it wouldn’t really matter since VM itself would not have “personal character” (contain any data which you would be scare to be compromised). All which you would try to achieve is to perform some action on PC without leaving any traces on it that task was ever performed.
Thanks for wonderful insight Ulli! :smileygrin:
@ ksc - thanks for introducing a more systematic discussion - thats pretty helpful. I haven't looked into this systematically before Rob started the discussion.
1) Contents of your VM
2) Metadata about your VM (e.g. when it was last run)
3) Metadata about VMware (e.g. when Workstation was last run)
4) Existence of VMware
Ksc - since my LiveCD-fiddling with starting services from non-default locations I believe that it should be possible to change the installation of Workstation in such a way that we don't need files outside a truecryptcontainer. vmx86.sys can be started from a manual mounted ramdrive - so using the same from a truecrypt-container should be possible too.
Do I miss something ? - I tend to oversimplify things
By rewriting the installer - we could possibly avoid leaving any traces in the Windows-directory - and Common files dir ...- ...
point 3 - I don't think I have full overview here. Does running VMware sets time-stamps on files like vmx86.sys or vmnetbridge.dll ? - oh dear - cleaning up such traces gets much more work that I first thought ...
Anyway - very interesting.
I guess I will try to run WS 6 without files in win-dir next ...
Not sure should I ask some of those questions here or on sparrow forum. Probably since relates to discussion here probably makes more sense ask all here in one place:
1) I run on Windows XP Pro and don’t have server 2003 
– anyway since KIOSK runs on Knopix it seems as I still should be able to create live CD from XP for knopix – am I correct or wishful thinking? (If yes how?)
2) Even you didn’t answer some question from previous post I assuming live CD offers full and total deniability and is existing option. Last post seems to suggest otherwise:
By rewriting the installer - we could possibly avoid leaving any traces in the Windows-directory - and Common files dir ...- ...
Which is true than? Discovery pending?
3) By the way taking occasion “Introduction tour video” link from your site appears to be down:
http://sanbarrow.com/vmtoolbox/vmtoolbox.html
Error from page:”The Camtasia Studio video content presented here requires JavaScript to be enabled and the latest version of the Macromedia Flash Player. If you are you using a browser with JavaScript disabled please enable it now. Otherwise, please update your version of the free Flash Player by downloading here. “
I have Macromedia Flash Player installed, and do not block JavaScript.