Personal Backup
	© 2001 − 2021, Dr. Jürgen Rathlev

Start Backup under different account

• Overview
• Prerequisites
• The utility program PbStarter

Overview

Since version 5.8 Personal Backup contains the utility program PbStarter. This can be used to run backups under a user account different from that of the logged-on user. You will find the utility in the Windows start menu as Personal Backup - Backup under different account. The purpose of this program is to provide additional protection against malware that maliciously encrypts a user's data including the backed-up files and demands a ransom in return for the decryption key (so-called Ransomware).

The best way to protect your backed-up data is to use a backup directory where all logged-on users only have read permissions in that any program started under their user account cannot write into the directory containing the backed-up data and hence nothing can be changed there. To achieve this, a new user account must be created via Windows Control Panel. This new account will only be used to perform backups and is the only account that can write to the backup directory. No other activities should be performed under this account.

Important prerequisite: To adjust the permissions of the backup directory, it is essential that the drive or the drive partition that holds the backup directory is formatted in NTFS (Windows default). The FAT32 file system often used for USB sticks will not allow permissions to be to changed.

To run a program under a different user account, you can use the Windows console application RunAs, but it cannot save passwords and requires an entry of the password on starting each backup. In addition, compiling the desired configuration is a difficult task even for experts. In contrast, PbStarter can save the required password as an encrypted string which will enable any user to start a secure backup even without knowing this password. Entering the password is only done once during backup configuration by an authorized user. In addition, by providing a graphical interface, the configuration of backups becomes clear and easy.

Prerequisites

Before you can use this procedure, some prerequisites will be necessary. To make this comprehensible to any layman, it will be described step by step as follows. Bear in mind that there are some minor differences between Windows versions 7, 8 and 10. Particularly in Windows 10 Home several settings, like allocating users to local groups, are not available. For this purpose at least the Pro version is required.

Important preliminary note:

The following has been compiled carefully, but the author assumes no responsibility for the topicality, correctness, completeness or quality of the information provided. Every user should be aware of the risks involved in changing system settings. Liability claims against the author whether material or non-material caused by the use of the information provided shall be rejected.

Setting and adjusting the accounts

Unfortunately, the user account initially created during Windows installation is automatically granted administrator rights by default. However, for all normal activities on your computer (mail, Internet, text processing, image processing, etc.), this is not required at all. In fact, it is no problem to install new programs or change system settings even if you are logged on as a normal user. As soon as elevated rights are required, Windows User Access Control will pop up automatically and prompt for a temporary logon as Administrator.
Therefore, it is strongly recommended that only those rights needed to carry out their tasks be assigned to users. These can be separated into three groups:

• Administrators for the installation of programs and to adjust system settings
• Standard users for daily work
• Backup users with special permissions to perform backups

Following this concept, some initial adjustments to user accounts are necessary:

1. Activation of the default administrator account:
   After a new Windows installation, the default administrator account initially remains deactivated. Call Administrative Tools on the Windows Control Panel and double-click on Computer Management. Click on Local Users and Groups in the tree on the left and then on Users. Double-clicking on Administrator opens the General tab in the property editor. Uncheck the box Account is disabled and then click OK. Right-click on Administrator, select Set Password... and then Proceed. You can ignore the warning at this point because this account has never been used before. Then enter a reasonably complex password (twice) and keep this in a safe location. Finally, close Computer Management and return to Windows Control Panel.
2. Additional administrator account:
   to be on the safe side, another administrator account using a name at will should be created. Call User Accounts - Manage another account on the Windows Control Panel. Click on Add a new user in PC settings and Add Account. Do not use the option to use an online account at Microsoft at this point. Click instead Sign in without a Microsoft account (not recommended) and Local Account. Enter any suitable name and the password (twice). It is very useful to enter the same password as used by the normally logged-on user to make it easy for new programs or updates to be installed, in that on starting a setup, the user will automatically be prompted by the Windows system to log on as an administrator, select the newly-created account and enter the familiar password. Finally click on Next and Finish.
   In the list Manage other accounts click on the newly-created username and Change the account type. Select Administrator and confirm this by clicking Change Account Type.
3. Downgrade other accounts:
   Call User Accounts - Manage another account on the Windows Control Panel. A list of all active accounts will be displayed, among these the Administrator and the newly-created second administrator. Click on all other accounts one after another and select Change the account type. Select Standard user and confirm this by clicking Change Account Type.
4. Create a new account only for backup purposes:
   To perform the backups, a new standard user account with password must be created (e.g. using the name BackupUser). Call User Accounts - Manage another account on the Windows Control Panel. Click on Add a new user in PC settings and Add Account. Create a new local account as described in 2. above. The account type remains a Standard user. This account will never be used for normal logons: it is only required by the program PbStarter to perform the backups.
   It is also recommended to add this user to the local Backup Operators group (not available in Windows 10 Home). Strike Windows key + R
in combination to open the Execute dialog and insert lusrmgr.msc. After clicking the OK button, the Local Users and Groups management console will open. Select Users, double-click the new user, switch to the Member Of tab and add the group Backup Operators.

Security settings for the directories

As described above, write access to the backup directory must be blocked for all standard users except the special backup user. In addition, it must be ensured that the backup user has read permissions to all directories to be backed up.
Important note: The drive containing the backup directory must be formatted in NTFS (Windows default). The FAT32 file system often used on USB sticks does not support security settings.

To understand the procedure, it is important to know that permissions of a parent directory are automatically passed to all its child objects (files and subdirectories). Assuming that a new directory is created on drive F:, e.g. F:\Backup, it will inherit all permissions from its parent directory F:\. You can check this yourself by right-clicking on the new directory and selecting Properties and the Security tab. In the upper part of the dialog window, all users and groups having permissions on this directory are displayed and, in the lower part, the permissions assigned to the selected user or group can be seen (grayed out because inherited). A group contains several users to simplify the assignment of permissions. The permission displayed refers to all users in the group.

1. Security settings for the backup directory:
   All normal users should only have permission to read from this directory. Only the backup user (see BackupUser above) is to have permission to write. In the following description, it is assumed that the backup is to be made to a new directory Backup on drive F::
   • Log on as administrator (see above).
   • Create a new directory Backup on drive F:\.
   • Right click on this directory and select Properties - Security to open the dialog to change the permissions of this directory.
   • Initially, permission inheritance in this directory must be turned off. Click on Advanced and Change Permissions.
     • Windows 7: Deselect Include inheritable permissions from this object's parent and select Add in the prompt that follows, then click OK
     • Windows 8 and 10: Click Block Inheritance and in the prompt that follows, click Convert inherited permissions into explicit permissions on this object, then click OK
   • Click Edit on the Security page
   • Retain the settings for SYSTEM and Administrators
   • Click on the group Users, if this group does not exist click Add... to create a new such entry. Permissions are to be restricted to Read & execute and List folder contents. There must be no permissions to Full control, Modify or Write.
   • Click on Authenticated users (if existing) and Remove
   • If there are further user accounts listed, they must also be removed
   • Click Add, insert the name of the newly-created backup user BackupUser and click OK
   • Check Modify in the list of Permissions for Users and click OK twice
2. Security settings for the directories to be backed up:
   The backup user BackupUser must have permission to read from all directories to be backed up. If the archive bit is to be reset during backup (Full (new) and Incremental), this user additionally needs permission to change file attributes. This is not required for backups using either of the modes Update or Differential.
   If all personal data of the users are located in the Windows default directories, only the directory C:\Users (and its sub-folders) must be set up as described below. If directories at other locations are to be backed up, an analogous procedure is required.
   • If not already done, logon as administrator (see above).
   • Right click on the directory C:\Users (or other directory as appropriate) and select Properties - Security
   • Click the Edit button.
   • Click Add, insert the name of the newly-created backup user BackupUser and confirm by clicking OK.
   • Check the permissions list of the backup user to make sure that Read & execute and List folder contents are selected and confirm by clicking OK twice. Due to inheritance, the system will start to adjust the security settings of all child objects. Depending on the number of files, this can last a little while.
   • If the archive bit must be reset in the source (as in Full (new) and Incremental modes) the backup user additionally needs permission to change file attributes. For this purpose, click on Advanced in the Security tab and then Change Permissions.
   • Select the backup user and click on Edit.
   • Then select the permission Write attributes and confirm by clicking OK three times.

The utility program PbStarter

Overview

Using this program, several backup tasks previously configured with Personal Backup can be arranged as a group. Apart from this, each group contains the credentials of the user account under which the backups are to be performed (e.g. the BackupUser mentioned above). Clicking the button Start backup, all backup tasks in the selected group will be performed using the account of the specified user. The tasks are processed in the order as specified by the list or optionally in parallel. In addition, you can select how the status window will be displayed during backups and if the program should prompt for the password on each start of a backup or save it permanently as an encrypted string. Optionally, you can specify that the backups will be run as an administrator. In this case the Windows User Access Control will prompt for an elevation of user privileges (e.g. to use Volume Shadow Copies).

User interface

After starting the program for the first time, all fields (see screenshot on the right) are initially empty. At first enter a unique name for the group to be created in the description field. At the top right insert the name of the user account under which the backups are to be performed. By clicking the button to the right, the associated password can be entered to be permanently saved as an encrypted string. If no fixed password is specified, it must be entered on each start of the backups by the user. Optionally, you can specify to run the backups with elevated right as administrator. This is, for example, required if Volume Shadow Copies (VSS) are used for the backup.
Then select the backup tasks (buj files) for this group by clicking the button on the left beneath the list field. Notice the important notes below.
Short description of the buttons:

	Creating a new group As described above, a new group will be created.
	Delete selected group The selected group and all its settings will be deleted.
	Add backup tasks A dialog opens to select one or several tasks (buj files) and add them to list.
	Remove a backup task The selected backup task will be removed from the list..
	Edit the selected backup task Personal Backup will be started under the account of the specified backup user to edit the settings of the selected backup task.
	Show the log file of the selected backup task If a separate directory for the log files was specified (see input box below), the log file of the selected task will be displayed immediately after clicking this button.
	Change the order of the backup tasks By clicking one of these buttons, the selected task will be moved up or down in the list.

Other options

• Status window: You can adjust how the status window of the backup progress is to be displayed. If Close after delay or Wait for prompt only on errors is selected, you can in addition adjust the display time.
• Behavior of Personal Backup: The checkboxes below let you select whether the Personal Backup splash screen shall be displayed on program start and whether the end of a backup shall be signaled to the user by playing a sound or not.
• Parallel processing of tasks: You can select whether the tasks of the group shall be processed sequentially or in parallel (for example useful in multi-core processor systems).
• Log directory: If a directory name is specified, during backup all log files will be saved at this location. Consider that the backup user needs right permissions to this directory. If nothing is specified, the log files will be written to the default log directory of the backup user (e.g. C:\users\BackupUser\AppData\Roaming\PersBackup6\).

On the right,
In the field to the bottom left,

The group properties will be saved automatically on closing the program or starting a backup. By clicking the small arrow to the right of the description field you can switch between different groups.
 

Create a Desktop shortcut

Clicking the third button from the left at the bottom will open a dialog (shown on the right) for creating a Desktop shortcut to start selected backup groups with one double click under the associated user accounts. You can combine this with a subsequent action (e.g. Shutdown). In this way it is very easy to run a secure backup before shutting down the computer. No longer use the Windows function Start menu - Shutdown: instead double-click this Desktop icon!

The required settings can be made in a dialog (see screenshot). The list on the left shows all configured backup groups. Select the groups to be run from the Desktop shortcut by click and Ctrl-click. On the right you can select the action to be performed after the backups have finished (see more). If Prompt is selected, the backups will not start immediately after clicking the Desktop shortcut but rather the user will be prompted beforehand to select the subsequent action. In this way, it is very easy to start a secure backup under a different account and decide in each case what should happen afterwards (e.g. hibernate, poweroff or even continue).
Optionally, you can specify that all running programs of the logged-on user should be terminated prior to the backup and that a log file should be written. After clicking OK, the desktop shortcut will be created.

Dialog for option Prompt

Start backups using the Windows Task Scheduler

Create a new task: Clicking this button, will add several selected backup groups to the Windows Task Scheduler to be started automatically for a time schedule. The group selection and other settings are done similar to the Desktop shortcut (see above). Next, you insert the name for the task and the time schedule. (see here).

Edit a task: Clicking this button will show a list of all tasks using PbPlaner. Select a task and click the button Edit task to modify the associated time schedule.
 

Show PbStarter log

If PbStarter was started using the Windows Task Scheduler or a desktop shortcut (see above), an own log file will be created. It will record start and end times, all executed backup groups with their backup tasks and whether errors occurred (e.g. if a running program could not be terminated or Personal Backup could not be started). Clicking this button will display the log. If there happened errors during backup, detailed information can be retrieved from the log of the particular task (see above).

Start an application under different user account

As described above, the logged-on user cannot write or make changes to the backup directory. By clicking this button, a selectable file manager, e.g. TotalCommander or FreeCommander, and additionally any other application, e.g. a text editor such as PsPad will be started under the displayed user account. Using the application(s) started in this way the user will be able to make required changes in the backup directory. Note: Windows Explorer cannot be started in this way.

Command line options

[group list] /force

Starts a backup of all task collections specified in group list (see above under description). The group names must be separated by a spaces. If a group name contains spaces, it must be enclosed by quotation marks.

/ini:[filename] or /ini:[directory]

All program settings are stored in a file PbStarter.ini, which is located by default in the Application Data folder of the user. Using this option you can select an alternative name and/or directory. If a full path is specified (e.g /ini:E:\MyBackupConfiguration\), it will also be used for the PbStarter log file and the Personal Backup settings. In this way you can accomplish that no traces are left behind for example after starting the program from an USB stick.

Important notes

All Backup tasks to be executed must be located in a directory to which the backup user can write. For this, it is recommended that a new subdirectory (e.g. F:\Backup\Tasks) be created in the backup directory (see above: F:\Backup) and all required buj files be copied there. The same applies to log files. To access these files easily, it is useful to create another subdirectory F:\Backup\Logs and enter this name in the group configuration (see above).