People love to install applications. Games, screensavers, media players, instant messaging applications, miscellaneous utilities, etc.. However, many of them have a tendency to invasively insert themselves as part of the operating system startup sequence. Windows already loads many drivers and background services as part of its base functionality, but when coupled with additional stub applications, it causes an overwhelming amount of required disk access at boot, thus contributing to the perception of a "slow computer." Microsoft Office, QuickTime, AOL Instant Messenger, Yahoo! Messenger, CD burning utilities, video card utilities, web browser extensions, etc., all rush to the front of the line when the computer turns on and the operating bootstraps itself. In reality, most of these applications do not require starting up automatically in order to properly function. They are inserted into the boot-time sequence "for your convenience," which eventually translates to a longer boot process. Just imagine 10 people trying to walk side-by-side into a door at the same time. There's bound to be some shoving and pushing going on.

Placeholders for these applications to run at startup can be found in many locations including the registry, Start menu, etc.. Some applications (like adware or spyware) are sneaky and tend to bury themselves into obscure areas. An easier way to view them all at once is to use a utility like AutoRuns instead. However, be careful in unchecking something if you're not sure what it is. If you disable the loading of a critical service or driver, your computer may not be able to properly boot again without using Last Known Good Configuration or some other workaround.

When it comes to slow system performance, many people's first reaction is to "defragment the hard drive." While this is definitely a common cause of slow performance, another area that's neglected is the fragmentation of the paging file, which is the file representing virtual memory and its size may vary depending on the amount of installed physical memory. However, it's not possible to defragment this hidden file (called pagefile.sys) while Windows is active. The only way to defragment it is during boot when the operating system hasn't fully initialized. Use the PageDefrag utility to do this.

Some third-party utilities (such as Diskeeper) also offer the option to defragment the Master File Table within NTFS for additional performance gain.

Operating systems in general require some free space to write data bits all over the disk. If the amount of free disk space becomes low (say, less than 500 MB), you may experience slowdowns in performance especially if you're using applications (for example, Photoshop) which may use a designated drive for some temporary scratch space. Also, parts of files get moved around the disk all the time depending on the varying amount of free space on different areas of the disk at any point in time.

Some suggestions for maintaining disk space include deleting old System Restore points, using the Disk Cleanup utility, and looking for any memory dump files on the disk (files that end with the extension .dmp). As odd as it sounds, it's a good idea to always keep at least several Gigabytes of space free, even on a large capacity disk so the operating system and applications has enough "play room" to stretch around in.

There are still people that confuse the terms "memory" and "hard disk space." While these terms may have been interchangeably used a long time ago, today "memory" refers to RAM and is a separate topic from hard disk space. Many times when computer hardware is sold as low-price package "deals," it's typical that the configuration includes only a minimal amount of memory installed just to keep the prices low. However, having only 128 MB or 256 MB of memory for a Windows XP-based system is generally insufficient, especially once you start using applications (which in themselves consume more and more memory as they're being used over time). Given how applications tend to be written with a lot of features (much of which is generally unused by most people), the result is application bloat and the eventual reduction of available memory while the computer is running. If available physical memory becomes low, the operating system will start using slower, hard-disk-based swap space (virtual memory) more often, thus resulting in apparent slow-down in performance. Web browsers, office applications, etc., tend to suck up more and more memory as time goes on, so having at least 512 MB or 1 GB physical memory is recommended for any Windows XP system. This is essentially like paying for headroom in your car so you'll have enough space as you grow taller.

Windows Vista is much more resource-hungry in this regard, so having 1 GB to 2GB of physical memory makes for much more responsive computing, even though it may mean a higher price tag for the hardware up-front.

Along the point made above about low-priced deals on computer hardware, the choice of hard drive is another option that many people tend to not consider. Many of these laptop packages comes with a 4200 RPM drive (the number represents the speed at which the disk platters in the drive casing turn). In general, the lower the number, the slower the performance. Laptop drives come in three drive speeds: 4200, 5400, and 7200 RPM. I would avoid 4200 RPM altogether, and if possible 5400 RPM as well. 7200 RPM is ideal, although it can get a bit expensive. However, with all the applications that people tend to run at once (many of these starting automatically with the operating system), having a faster disk generally translates to a smoother performance. In many cases, the hard disk is the performance bottleneck of the entire computer since the read / write heads within the drive case have to physically move from place to place to read information, much like a vinyl music record. This movement causes latency where the computer has to wait for the information to be read or written in order to proceed to the next step.

This is a somewhat trivial concern, but when disk utilization is at its peak during startup (when every application flagged to start up all at once is reading / writing to the disk simultaneously), extending the wait time by requiring the operating system to play a cute novelty sound can increase frustration and the apparent lack of boot performance. Remove this by going into the Control Panel » Sounds and Audio Devices, and selecting "none" for the Start Windows program event selection:

It's a good idea to do the same thing for the Exit Windows program event as well.

When you visit a website, you're not necessarily looking at the contents of that site in "real-time." Rather, you're downloading the pieces of the content (the text, the corresponding images, any movie or audio files, etc.) and the browser then renders that for you. These files are downloaded into a designated repository known as a cache and is typically located in C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files. In this case, substitute the %username% portion of that path with your user account's name. By default, this location is hidden from view within Windows Explorer (not to be confused with the browser application called "Internet Explorer").

The problem is that this cache size is typically set way too large for practical need. Internet Explorer also does not purge the cache (essentially emptying the trash) after the browser is closed and removed from memory. Since files within the cache, representing various websites you've visited, are typically very small, it starts cluttering up drive space unnecessarily. Add to the fact that given the default file system allocated cluster size, the number of files over time causes significant wasted disk capacity due to slack space. Therefore, it's recommended to reduce the cache size to the lowest value possible (open Internet Explorer, go to Tools » Internet Options, the General tab, click Settings):

...and (more importantly) set the browser to purge the cache when closed (open Internet Explorer, go to Tools » Internet Options, the Advanced tab, and under the Security section check Empty Temporary Internet Files folder when browser is closed).

Microsoft's (IE) Internet Explorer is the web browser application that's built into Windows operating systems. Unfortunately, it has a default configuration which is very insecure and is essentially a floodgate for which malicious code (viruses, etc.) or hijacked websites can attack your machine. Although it can be made more secure through the use of a concept called zones, I would recommend installing another web browser called Mozilla Firefox that allows for add-on extensions which makes your web surfing experience safer. Two of these add-ons are:

NoScript: this prevents automation code called scripts from automatically running when you visit a website, instantly giving you a much higher degree of security. Scripts are very common nowadays and many legitimate sites may require it for full functional experience. However, it's also a double-edged sword because while it allows for functional convenience, scripts also serve as a way of tricking the user into installing malicious software and other undesirables onto your computer. It's better to block all scripts by default for all websites, then permit them on a case-by-case basis for websites that you trust. Keep in mind, of course, that if you decide to trust your bank's website and the bank website gets taken over by a malicious person, you're essentially opening the door to your computer for that attacker. This is basically analogous to letting someone that's impersonating a police officer into your house. Also, the preventing of scripts may increase the speed of a website's load time because there may be less site-specific dependencies to load.

Adblock Plus: this add-on serves two purposes - 1) to block out distracting website advertisements and 2) reduce the amount of bandwidth needed to load a page. This generally results in a faster load time. It's flexible enough to apply for any webpage object by specifying wildcards in site paths.

However, some websites are specifically designed for IE, so there may be times when you may choose to use it instead for certain websites (like Hotmail), assuming you trust that the website doesn't host any malicious code that will damage your system.

Whenever applications are installed, there's a number of places information about the application gets embedded. Aside from the application files itself, the configuration of the application generally tends to get written to the registry and well as dependency library files written to the directory specifically allocated to the operating system (C:\Windows). The result is a set of files and entries that hooks into the operating system at various levels. When the application is uninstalled, many times these entries are not cleanly removed and some remnants are left behind for various reasons. This is the main reason why Windows tends to slow down over time if many applications are installed and uninstalled. Many applications are notorious for leaving pieces of themselves behind even after an uninstallation process has completed. Additionally, the registry does not compact itself down and essentially becomes bloated.

Therefore, a good rule of thumb is to never install applications unless you really have a need for it (as well as trust it).

By default, Windows comes with additional software components that you may not need. If you open the Control Panel and select Add/Remove Programs » Add/Remove Windows Components, a dialog box will appear that lists components which are essentially optional. Having them installed potentially increases your exposure to software vulnerabilities (that is, your overall "attack surface"). Selecting some of these and going through the rest of the Windows Components Wizard by clicking Next reduces such risk and well as reclaim a bit of disk space. Examples may include MSN Explorer, Networking Services (specifically the sub-component called Internet Gateway Device Discovery and Control Client), Outlook Express, and Windows Messenger.

I'm not talking about "images" as in pictures. When vendors such as Dell, HP, or Lenovo put together a desktop or laptop, the operating system (as well as the applications) are not manually installed by hand each time. Instead, they are built via an automation process and some or all of it may be based on a pre-configured system snapshot referred to as disk images which are then transferred to a machine on the final leg of the assembly line and "made active." In other words, it's a cloning operation based off of a template. The problem with these images are that they are virtually always bloated with additional third-party software that some vendor paid to get their foot in the door in order to be exposed to the end-user. For example, Microsoft Office might be available preloaded as a trial-only version, good for a limited number of uses (at the expiration of which you're required to pay for the full license), somewhat akin to a demo ... or a bait and switch depending on how you look at it. This takes up space, installs itself into the system registry, and generally contributes to unnecessary usage of system resources. Norton AntiVirus is another common example with only a license to download several months of anti-virus signature updates.

The only way around this is to either optimize this pre-configuration by uninstalling unneeded applications, etc., or by starting clean with an original Windows installation CD. The latter is preferable if you want full control. However, this also means you have to pay an additional amount for that installer. The copy of Windows (in its OEM configuration) which comes pre-installed is a license granted to the specific machine that you purchased and there is no Windows-only installer. In other words, if you want to install Windows fresh and then download / install all the hardware-specific drivers yourself, you're paying for the license to use Windows twice. Some people refer to this casually as the "Microsoft tax." Remember - if you "purchase Windows," what you're really purchasing is a license to use it, not a copy of it.

This is the big one that most Windows users (even savvy ones who work in more secure corporate enterprise environments) tend to miss. The concept of "least-privilege" is quite pervasive in Unix / Linux systems (this is one of the reasons which makes Mac OS X a great choice from a security perspective). However, Microsoft only recently started embracing this idea for the everyday user by incorporating the UAC (User Account Control) feature within Windows Vista. Under UAC, even users who are designated as administrators are assigned a two-sided access-badge known a "split" or "filtered" token which represents privileges for both "normal" and "top-secret clearance" access. In other words, least-privilege means only grant someone enough access to do an authorized task, but never more. This is generally accomplished by logging onto the computer with an account that is designed as a Restricted User in XP (in Windows Vista, the equivalent term is "Standard User").

It's easy to implement least-privilege within Windows XP. Simply create a user that's not a member of the Administrators group (and only a member of the Users group). Then, for everyday use, log into the machine with that account. If for some reason you need to "do something administrative" (such as installing a driver for a printer), one can either logout and log back in with an administrator-level account or invoke the RunAs function (also referred to as "secondary logon") to perform that specific function as an administrator. Read more about RunAs here.

Since a Restricted / Standard User does not have the ability to write data into many different areas of the computer, this prevents many forms of malicious code (that you may accidentally download) from doing system-wide damage. This is because any malware / malicious code that gets executed by a low-privileged user essentially inherits the same level of access privilege (this is referred to as "impersonation" of a security principle). Therefore, the influence of the virus or trojan is contained only to the areas the Restricted User has access to. In many cases, this should stop malicious code dead in its tracks since it typically requires write-access to the sensitive areas such as "C:\Windows," "C:\Program Files," or "HKLM\Software" in the registry to do its job.

The idea of passwords has been the long-time solution for keeping unauthorized people away from the data. However, the quality of the passwords used has a lot to do with the actual security itself. This is the case especially with Windows because Microsoft has always designed Windows to be backwards compatible with older technologies. Unfortunately, this assumption and default stance is also one of the root causes of problematic "password security" within Windows, making exposure of passwords (specifically, the correct matching cryptographic variations called a hashes) much easier for attackers.

Without going into details, it's for this reason that it's important for passwords to be more than just a word that one can find in a dictionary. Simply appending numbers to the end of the secret password does not make it that much more difficult to compromise. In other words, a password like "bugsbunny05" is hardly less prone to discovery than "bugsbunny." Introducing non-alphanumeric characters as well as case variations increases the overall strength and makes passwords like "Bugs@83Bun.net" much more difficult to decipher due to the scope of characters that have to be assumed. Better yet, make it at least 15 characters long by using a sentence (commonly referred as a "passphrase") which contains alphanumerics, spaces, and punctuations.

Bear in mind that attackers are not going to sit at someone's keyboard all day to try and guess different permutations of passwords one at a time. Instead, automated tools are used which can be blazingly fast with today's computing power. Given enough time and computing resources, any password can be figured out. The trick is to make the attempt unfeasible. In other words, a thief will generally rather burglarize a house without an alarm system installed than a house that has one.

Another area which needs to be considered are software implementations which I consider "reactive" solutions. Anti-virus / anti-spyware / anti-whatever software is such an example. These are only useful if the malicious software has already touched the operating system in some way. If the user enacts better preventative measures, these become less necessary. It's not that they aren't needed, but rather that software vendors tend to market them as magic bullets which supposedly provide the ultimate defense against attacks. The truth is, such software products are only part of a security strategy. Anti-virus is the software defense inside your operating system that does its job only after the castle walls have been breached. It would be better to lock the gates and stand guard at the towers by default rather than to purely rely on anti-virus alone.

This is why firewall software that provides filtering on both incoming and outgoing network communication traffic is essential. Firewalls are essentially the group of soldiers standing outside the castle gate, questioning any stranger that's trying to knock on the front (and back) doors. Windows XP's built-in firewall only inspects incoming traffic. Windows Vista's firewall, on the other hand, is much more powerful and allows a much finer degree of filtering for both inbound and outbound traffic ... but only if properly configured. In addition, a hardware firewall separate from the operating system is even better.

However, anti-virus, anti-spyware, and host-based firewalls should not be considered sufficient defense-in-depth. How the user operates the computer is a significant factor in staying safe while connecting to a large public (and untrusted) network such as the Internet.

Windows relies on the file's name (specifically, its filename extension) to determine what application to use it with. The extension is typically a three-character suffix that's appended to the filename. However, by default Windows hides these from the end-user (even within Windows Vista), assumingly to simplify the computing experience. However, this is a common way of tricking a user to download and run a malicious file since the user may not be aware that the file (which seems to be a harmless text document) is actually an executable code that installs spyware.

To reveal the entire filename, open Windows Explorer (you can simply open My Computer) and go to Tools » Folder Options. Then under the View tab on the Folder Options dialog box, uncheck "Hide extensions for known file types." I would recommend unchecking "Remember each folder's view settings" and click the "Apply to All Folders" button at the top, then press "OK."

Windows 2000, XP, and Vista are based on Windows NT 4.0 which is the business-grade Microsoft operating system platform that came before Windows 2000. Home users are typically unaware of this since Microsoft marketed Windows 98 (and the previous versions like 95) towards the mass retail market. Windows 95 / 98 / ME are architecturally different at the core from NT 4.0 / 2000 / XP / Server 2003 / Vista. NT-based operating systems have specific background applications that are pre-installed as fundamental parts of the operating system and these are generally not obvious to the end-user unless s/he knows where to look.

However, not all of them are required to be running. Some are not running at all unless explicitly started. However, many of the services which are active by default are running as the Local System account (also known as "SYSTEM") which is basically a super user account used by the computer itself. The Local System account is a step more powerful than that of a local administrator, although an end-user user cannot log in as this account. Each running instance of these services requires some amount of memory and processing power and may also increase your exposure to network attacks.

The most direct way to view the list of installed services is by going to Start » Run » services.msc. There are certain core services that are required for Windows XP to run, such as the Security Accounts Manager, Logical Disk Manager, and Remote Procedure Call (RPC). But some other services can probably be turned off if you don't need them. For example, if you don't have a wireless interface, there's probably no need to have the Wireless Zero Configuration service running. The Telnet and SSDP Discovery services are also generally unnecessary and should be disabled. If your computer is not in a domain environment (this is most often an Active Directory organization structure used in corporate networks), then you may never need to have Net Logon running. And unless you need to access your computer's registry remotely, then it's a good idea to disable the Remote Registry service.

Refer to Microsoft's documentation for more information. Be careful when stopping or disabling services as many have multiple dependencies on others.

If your computer is connected to a (wired or wireless) network, at any given time there may be running software that's potentially communicating with other computers on the network. This may not always be visibly apparent since many applications are designed to run in the background and not present a connection status to the user. Many applications also include a self-updating mechanism that automatically tries to connect to a home server on the Internet and download update code, very much like the Automatic Updates service within Windows (for security patches). Sometimes, this causes a lot of disk writes, slowing down the system for apparently no reason that the end-user is aware of. One way of determining existing communication is by using TCPView:

Some basic networking knowledge is needed to interpret the display output. This is very similar to the command-line utility fport. Many times, utilities like these will aid in the discovery of unknown applications (like unintentionally installed spyware) that is uploading personal data back to a mothership.

Windows in its default configuration is a very chatty operating system on the network. In attempting to keep the tradition of backwards compatibility, the NetBIOS communication protocol is enable on every network interface which results in broadcasts and announcements of your computer's availability. If you will never need to perform NetBIOS-based name resolution (for example, if you never need to resolve another Windows machine's name on your home network using this protocol), then you can go to Start » Run, then type in control netconnections and hit Enter. When the Network Connections window appears, right-click on your interfaces (such as "Local Area Connection" and "Wireless Network Connection") and select Properties. Then under the General tab, double-click on Internet Protocol (TCP/IP):

Then within the new dialog box, click on Advanced:

In the Advanced TCP/IP Settings dialog box, click on the WINS tab, select the Disable NetBIOS over TCP/IP option, then OK out of all the dialogs:

Keep in mind that this doesn't disable the ability to share files between Windows machines. This process merely disables legacy network calls used to resolve resources on the LAN. The NetBIOS protocol is not something you'd want to use on an untrusted network like the Internet.

When it comes to personal data, many people have a tendency to put all their eggs in one basket. Tax documentation, personal correspondence, financial information, family pictures, etc,. should not be all saved under My Documents. Instead, store them on a portable device such as a large-capacity flash drive that can be stored in a safe deposit box. Otherwise, if a burglar breaks into the house and steals the computer or a fire burns the house down, at least your data is still available. While computer hardware is replaceable, data (like the image your child's first step) is not. A product like the IronKey may be practical for this.

There have been many reports in recent years about large corporations and government agencies losing sensitive customer or employee data. In just about all of these cases, having the data encrypted would have been a major factor in minimizing the risk. The "professional" versions of Windows (including Windows 2000, Windows XP Professional, Windows Vista Business / Enterprise / Ultimate, and all the server products) include a feature called EFS (Encrypting File System). This provides a transparent way of keeping your personal data confidential even if someone manages to steal your laptop. Vista Enterprise and Ultimate editions also support the BitLocker feature which can encrypt the entire disk. For "home" versions of Windows, alternate third-party software solutions are available such as TrueCrypt or PGP Whole Disk Encryption.