contents
PersBackup

Personal Backup

© 2001 − 2021, Dr. Jürgen Rathlev

Start Backup under different account


Overview

Since version 5.8 Personal Backup contains the utility program PbStarter. This can be used to run backups under a user account different from that of the logged-on user. You will find the utility in the Windows start menu as Personal Backup - Backup under different account. The purpose of this program is to provide additional protection against malware that maliciously encrypts a user's data including the backed-up files and demands a ransom in return for the decryption key (so-called Ransomware).

The best way to protect your backed-up data is to use a backup directory where all logged-on users only have read permissions in that any program started under their user account cannot write into the directory containing the backed-up data and hence nothing can be changed there. To achieve this, a new user account must be created via Windows Control Panel. This new account will only be used to perform backups and is the only account that can write to the backup directory. No other activities should be performed under this account.

Important prerequisite: To adjust the permissions of the backup directory, it is essential that the drive or the drive partition that holds the backup directory is formatted in NTFS (Windows default). The FAT32 file system often used for USB sticks will not allow permissions to be to changed.

To run a program under a different user account, you can use the Windows console application RunAs, but it cannot save passwords and requires an entry of the password on starting each backup. In addition, compiling the desired configuration is a difficult task even for experts. In contrast, PbStarter can save the required password as an encrypted string which will enable any user to start a secure backup even without knowing this password. Entering the password is only done once during backup configuration by an authorized user. In addition, by providing a graphical interface, the configuration of backups becomes clear and easy.

Prerequisites

Before you can use this procedure, some prerequisites will be necessary. To make this comprehensible to any layman, it will be described step by step as follows. Bear in mind that there are some minor differences between Windows versions 7, 8 and 10. Particularly in Windows 10 Home several settings, like allocating users to local groups, are not available. For this purpose at least the Pro version is required.

Important preliminary note:

The following has been compiled carefully, but the author assumes no responsibility for the topicality, correctness, completeness or quality of the information provided. Every user should be aware of the risks involved in changing system settings. Liability claims against the author whether material or non-material caused by the use of the information provided shall be rejected.

Setting and adjusting the accounts

Unfortunately, the user account initially created during Windows installation is automatically granted administrator rights by default. However, for all normal activities on your computer (mail, Internet, text processing, image processing, etc.), this is not required at all. In fact, it is no problem to install new programs or change system settings even if you are logged on as a normal user. As soon as elevated rights are required, Windows User Access Control will pop up automatically and prompt for a temporary logon as Administrator.
Therefore, it is strongly recommended that only those rights needed to carry out their tasks be assigned to users. These can be separated into three groups:

Following this concept, some initial adjustments to user accounts are necessary:

  1. Activation of the default administrator account:
    After a new Windows installation, the default administrator account initially remains deactivated. Call Administrative Tools on the Windows Control Panel and double-click on Computer Management. Click on Local Users and Groups in the tree on the left and then on Users. Double-clicking on Administrator opens the General tab in the property editor. Uncheck the box Account is disabled and then click OK. Right-click on Administrator, select Set Password... and then Proceed. You can ignore the warning at this point because this account has never been used before. Then enter a reasonably complex password (twice) and keep this in a safe location. Finally, close Computer Management and return to Windows Control Panel.
  2. Additional administrator account:
    to be on the safe side, another administrator account using a name at will should be created. Call User Accounts - Manage another account on the Windows Control Panel. Click on Add a new user in PC settings and Add Account. Do not use the option to use an online account at Microsoft at this point. Click instead Sign in without a Microsoft account (not recommended) and Local Account. Enter any suitable name and the password (twice). It is very useful to enter the same password as used by the normally logged-on user to make it easy for new programs or updates to be installed, in that on starting a setup, the user will automatically be prompted by the Windows system to log on as an administrator, select the newly-created account and enter the familiar password. Finally click on Next and Finish.
    In the list Manage other accounts click on the newly-created username and Change the account type. Select Administrator and confirm this by clicking Change Account Type.
  3. Downgrade other accounts:
    Call User Accounts - Manage another account on the Windows Control Panel. A list of all active accounts will be displayed, among these the Administrator and the newly-created second administrator. Click on all other accounts one after another and select Change the account type. Select Standard user and confirm this by clicking Change Account Type.
  4. Create a new account only for backup purposes:
    To perform the backups, a new standard user account with password must be created (e.g. using the name BackupUser). Call User Accounts - Manage another account on the Windows Control Panel. Click on Add a new user in PC settings and Add Account. Create a new local account as described in 2. above. The account type remains a Standard user. This account will never be used for normal logons: it is only required by the program PbStarter to perform the backups.
    It is also recommended to add this user to the local Backup Operators group (not available in Windows 10 Home). Strike Windows key + R
  5. in combination to open the Execute dialog and insert lusrmgr.msc. After clicking the OK button, the Local Users and Groups management console will open. Select Users, double-click the new user, switch to the Member Of tab and add the group Backup Operators.

Security settings for the directories

As described above, write access to the backup directory must be blocked for all standard users except the special backup user. In addition, it must be ensured that the backup user has read permissions to all directories to be backed up.
Important note: The drive containing the backup directory must be formatted in NTFS (Windows default). The FAT32 file system often used on USB sticks does not support security settings.

To understand the procedure, it is important to know that permissions of a parent directory are automatically passed to all its child objects (files and subdirectories). Assuming that a new directory is created on drive F:, e.g. F:\Backup, it will inherit all permissions from its parent directory F:\. You can check this yourself by right-clicking on the new directory and selecting Properties and the Security tab. In the upper part of the dialog window, all users and groups having permissions on this directory are displayed and, in the lower part, the permissions assigned to the selected user or group can be seen (grayed out because inherited). A group contains several users to simplify the assignment of permissions. The permission displayed refers to all users in the group.

  1. Security settings for the backup directory:
    All normal users should only have permission to read from this directory. Only the backup user (see BackupUser above) is to have permission to write. In the following description, it is assumed that the backup is to be made to a new directory Backup on drive F::
  2. Security settings for the directories to be backed up:
    The backup user BackupUser must have permission to read from all directories to be backed up. If the archive bit is to be reset during backup (Full (new) and Incremental), this user additionally needs permission to change file attributes. This is not required for backups using either of the modes Update or Differential.
    If all personal data of the users are located in the Windows default directories, only the directory C:\Users (and its sub-folders) must be set up as described below. If directories at other locations are to be backed up, an analogous procedure is required.

The utility program PbStarter

Desktop

Overview

Using this program, several backup tasks previously configured with Personal Backup can be arranged as a group. Apart from this, each group contains the credentials of the user account under which the backups are to be performed (e.g. the BackupUser mentioned above). Clicking the button Start backup, all backup tasks in the selected group will be performed using the account of the specified user. The tasks are processed in the order as specified by the list or optionally in parallel. In addition, you can select how the status window will be displayed during backups and if the program should prompt for the password on each start of a backup or save it permanently as an encrypted string. Optionally, you can specify that the backups will be run as an administrator. In this case the Windows User Access Control will prompt for an elevation of user privileges (e.g. to use Volume Shadow Copies).

User interface

After starting the program for the first time, all fields (see screenshot on the right) are initially empty. At first enter a unique name for the group to be created in the description field. At the top right insert the name of the user account under which the backups are to be performed. By clicking the button to the right, the associated password can be entered to be permanently saved as an encrypted string. If no fixed password is specified, it must be entered on each start of the backups by the user. Optionally, you can specify to run the backups with elevated right as administrator. This is, for example, required if Volume Shadow Copies (VSS) are used for the backup.
Then select the backup tasks (buj files) for this group by clicking the button on the left beneath the list field. Notice the important notes below.
Short description of the buttons:

Creating a new group
As described above, a new group will be created.

Delete selected group
The selected group and all its settings will be deleted.

Hinzufügen

Add backup tasks
A dialog opens to select one or several tasks (buj files) and add them to list.

Entfernen

Remove a backup task
The selected backup task will be removed from the list..

Bearbeiten

Edit the selected backup task
Personal Backup will be started under the account of the specified backup user to edit the settings of the selected backup task.

Protokoll

Show the log file of the selected backup task
If a separate directory for the log files was specified (see input box below), the log file of the selected task will be displayed immediately after clicking this button.

nach oben nach unten

Change the order of the backup tasks
By clicking one of these buttons, the selected task will be moved up or down in the list.

Other options

On the right,
In the field to the bottom left,

Edit shortcut

The group properties will be saved automatically on closing the program or starting a backup. By clicking the small arrow to the right of the description field you can switch between different groups.
 

Create a Desktop shortcut

Create shortcut Clicking the third button from the left at the bottom will open a dialog (shown on the right) for creating a Desktop shortcut to start selected backup groups with one double click under the associated user accounts. You can combine this with a subsequent action (e.g. Shutdown). In this way it is very easy to run a secure backup before shutting down the computer. No longer use the Windows function Start menu - Shutdown: instead double-click this Desktop icon!

The required settings can be made in a dialog (see screenshot). The list on the left shows all configured backup groups. Select the groups to be run from the Desktop shortcut by click and Ctrl-click. On the right you can select the action to be performed after the backups have finished (see more). If Prompt is selected, the backups will not start immediately after clicking the Desktop shortcut but rather the user will be prompted beforehand to select the subsequent action. In this way, it is very easy to start a secure backup under a different account and decide in each case what should happen afterwards (e.g. hibernate, poweroff or even continue).
Optionally, you can specify that all running programs of the logged-on user should be terminated prior to the backup and that a log file should be written. After clicking OK, the desktop shortcut will be created.


Dialog for option Prompt

Prompt  

Start backups using the Windows Task Scheduler

task scheduler Create a new task: Clicking this button, will add several selected backup groups to the Windows Task Scheduler to be started automatically for a time schedule. The group selection and other settings are done similar to the Desktop shortcut (see above). Next, you insert the name for the task and the time schedule. (see here).


task scheduler Edit a task: Clicking this button will show a list of all tasks using PbPlaner. Select a task and click the button Edit task to modify the associated time schedule.
 


Show PbStarter log

View log If PbStarter was started using the Windows Task Scheduler or a desktop shortcut (see above), an own log file will be created. It will record start and end times, all executed backup groups with their backup tasks and whether errors occurred (e.g. if a running program could not be terminated or Personal Backup could not be started). Clicking this button will display the log. If there happened errors during backup, detailed information can be retrieved from the log of the particular task (see above).

Start an application under different user account

Start app As described above, the logged-on user cannot write or make changes to the backup directory. By clicking this button, a selectable file manager, e.g. TotalCommander or FreeCommander, and additionally any other application, e.g. a text editor such as PsPad will be started under the displayed user account. Using the application(s) started in this way the user will be able to make required changes in the backup directory. Note: Windows Explorer cannot be started in this way.

Command line options

[group list] /force
Starts a backup of all task collections specified in group list (see above under description). The group names must be separated by a spaces. If a group name contains spaces, it must be enclosed by quotation marks.
/ini:[filename] or /ini:[directory]
All program settings are stored in a file PbStarter.ini, which is located by default in the Application Data folder of the user. Using this option you can select an alternative name and/or directory. If a full path is specified (e.g /ini:E:\MyBackupConfiguration\), it will also be used for the PbStarter log file and the Personal Backup settings. In this way you can accomplish that no traces are left behind for example after starting the program from an USB stick.

Important notes

About the program All Backup tasks to be executed must be located in a directory to which the backup user can write. For this, it is recommended that a new subdirectory (e.g. F:\Backup\Tasks) be created in the backup directory (see above: F:\Backup) and all required buj files be copied there. The same applies to log files. To access these files easily, it is useful to create another subdirectory F:\Backup\Logs and enter this name in the group configuration (see above).


J. Rathlev, 24222 Schwentinental, Germany, October 2020