Today I was following a guide on how to install Qubes Windows Tools (QWT) on Qubes OS Release 4.0.
Qubes issue #3585
opened 08:23AM - 14 Feb 18 UTC
C: doc
C: windows-tools
P: default
T: task
help wanted
**EDIT - Updated tools for R4 are in the current-testing repo**
See Marek's [… comment](https://github.com/QubesOS/qubes-issues/issues/3585#issuecomment-403785567) (some issues remain); install with
~~~
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-tools
~~~
**Note** however that upgrading from QWT3 often fails (see below), and installing QWT4 in *clean* windows HVMs [doesn't work](https://groups.google.com/d/msg/qubes-users/i36AbxtgwgI/eSZdrsuWBgAJ) for some users. Clone your VM before attempting anything !
- 1st install: follow the [official doc](https://www.qubes-os.org/doc/windows-tools/)
- upgrade from the 3.2 version: clone your vm first ! ; temporarily set `debug` to true and `qrexec_timeout` to a large value (eg. 600) or the vm will be killed before you'll be able to complete the setup (it takes a bit of point&click).
* [FAILS] VM with SP1 and no other windows updates / **upgrading** over 3.2: at the following reboot, windows fails to boot and tries to repair files, which as usual doesn't fix anything (the VM might boot at some point, without the tools installed)
* [TODO] VM with SP1 and no other windows updates / **remove** 3.2 version first and then install 4.0.0
* [TODO] VM with latest windows updates / **upgrade** over 3.2
* [TODO] VM with latest windows updates / **remove** 3.2 version first and then install 4.0.0
---
[The purpose of this issue is to gather user experience and document the installation of R3.2's QWT in Windows HVMs on R4, bugs found and workarounds until the tools are fixed (and hopefully have a new [maintainer](https://groups.google.com/d/msg/qubes-devel/tBqwJmOAJ94/t5KgmST2BAAJ)).]
#### Qubes OS version:
Qubes 4.0
#### Affected TemplateVMs:
Windows HVMs
#### Edits
- Nov 13
* add gateway network setting in issue 1
- June 23
* add @mossy-nw 's comment about properly checking the rpm sig
- May 7
* add note about VM qvm-prefs issue when creating a VM based on a windows template
- Apr 23
* add AppVM based on win TemplateVM issue
- Mar 11
* revert note about qvm-copy/move failing, it works fine (transient errors because of update mismatch on my system).
- Mar 5
* add note that since [qsb #38](https://www.qubes-os.org/news/2018/02/20/qsb-38/) qvm-copy/move fails with 'request refused' because the tools aren't updated.
* add qvm-prefs vmname default_user <user> to fix copy location ; reference [here](https://groups.google.com/d/msg/qubes-users/SdmqyKDXwU0/sl9LczO-BwAJ)
- Feb 28
* add `rpm -K` for rpm sig check (seen such questions in qubes-users ML)
* add comment by @AJolly / QWT won't install with the 'move profiles' option disabled
- Feb 18
* more info on networking (DNS ips, ... + disabling the qubes net service)
* copied some of the commands needed from the official QWT install guide
* note about windows update + Xen VBD driver
---
#### QWT installation
Prerequisite: win7 x64 VM (see https://www.qubes-os.org/doc/windows-vm/).
Get the last QWT rpm [here](https://yum.qubes-os.org/r3.2/current-testing/dom0/fc23/rpm/qubes-windows-tools-3.2.2-3.x86_64.rpm).
In order to check the rpm's signature you'll have to import Qubes Release 3 Signing Key in the VM where you are confirming the rpm signature. Get the key [here](https://keys.qubes-os.org/keys/qubes-release-3-signing-key.asc) .
Check the key fingerprint as follows:
~~~
gpg2 --fingerprint --import --import-options show-only --dry-run qubes-release-3-signing-key.asc
~~~
Or alternatively,
~~~
gpg2 --import qubes-release-3-signing-key.asc
gpg2 --fingerprint "Qubes OS Release 3"
~~~
And compare with the key's well-known fingerprint, which should be `C522 61BE 0A82 3221 D94C A1D1 CB11 CA1D 03FA 5082`
Import the key to the VM's rpm keyring:
~~~
sudo rpm --import qubes-release-3-signing-key.asc
~~~
You can now check the rpm's signature (more info on rpm signatures [here](https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-check-rpm-sig.html)):
~~~
rpm -K qubes-windows-tools-3.2.2-3.x86_64.rpm
~~~
You should get `qubes-windows-tools-3.2.2-3.x86_64.rpm: digests signatures OK`. If not, check that the rpm is properly downloaded, that the signing key is imported, ...
Extract the iso from the rpm:
`rpm2cpio qubes-windows-tools-3.2.2-3.x86_64.rpm | cpio -idmv`
And start the VM (assuming the iso is in the 'untrusted' VM):
`qvm-start --cdrom=untrusted:/home/user/qubes-windows-tools.iso win7new`
From the QWT install [guide](https://www.qubes-os.org/doc/windows-tools/):
* win cmd: `bcdedit /set testsigning on`
* win cmd: `netplwiz` / uncheck 'Users must enter a user name and password...'
* in dom0: qvm-prefs vmname qrexec_timeout 300
Note about Windows Update:
* updating the machine is *not* required provided you don't enable the storage driver (disabled by default) in QWT' setup. QWT works on a bare SP1 install as well as in fully updated. See @dmoerner's [comment](https://github.com/QubesOS/qubes-issues/issues/3585#issuecomment-366471111) below on how to install updates.
* _however_, a fully updated Windows seems to be required in order to install xen's VBD (storage) PV driver:
- on "stock" SP1, installing Xen's PV driver from either QWT or from Xen's [official site](https://www.xenproject.org/downloads/windows-pv-drivers/winpv-drivers-81/winpv-drivers-820.html) results in either a BSOD or endless unfixable reboots.
- after a full Windows Update (takes hours), installing Xen's official driver works flawlessly. Haven't tested when installing QWT *with* the storage PV driver *after* updates.
Note about QWT's 'move user profiles' options: @AJolly [reports](https://github.com/QubesOS/qubes-issues/issues/3585#issuecomment-368065710) that QWT wouldn't install with the option disabled.
#### Issue 1 - Networking isn't set up properly
The PV adapter's status is stuck at "Identifying"; pinging an *ip* works but pinging a *host* fails, indicating a problem with DNS resolution. A tcpdump on sys-firewall indeed shows that DNS requests are sent to the gateway's ip and are rejected. The reason is that in R4 VMs [are now using](https://www.qubes-os.org/doc/vm-interface/) the exposed "/qubes-{primary,secondary}-dns" values, while R3.2's Windows Tools still use /qubes-gateway (whose IP in R4 is different from /qubes-primary-dns).
Workaround: disable the "Qubes Network Setup" service (with gui/`msconfig`, or `sc config "QubesNetworkSetup" start= disabled` in a command prompt) and configure the network manually.
Settings:
* DNS{1,2}: 10.139.1.1, 10.139.1.2
* Subnet: 255.255.255.0
* IP: to find the VM's ip, run `qvm-prefs vmname visible_ip` in dom0. Caveat: a cloned/restored/... VM will likely have its IP changed so you'll have to remember to update your network settings.
* Gateway: to find the ip, run `qvm-prefs vmname visible_gateway` in dom0
#### Issue 2 - Copy/Move functions
* If the username you log on with in Windows is different than `qvm-prefs vnname default_user` (usually 'user'), then the 'QubesIncoming' folder is located in `C:\Windows\System32\config\systemprofile\Documents\QubesIncoming\` (and launching .exe's directly from this folder sometimes fail, in which case one has to copy the .exe somewhere else (eg. on the desktop) and run it from the new location). Fix it with `qvm-prefs vnname default_user winusername` where `winusername` is the username you log on with in windows.
* In R4 the qvm-{copy,move} operations don't require the destination VM as argument: the destination VM is later typed by the user in a dom0 popup gui. When using R3.2 tools in R4 and copying/moving a file from/to a Windows VM, the user will be presented with a "destination VM" popup menu twice - once in the windows VM and once in dom0 (it is OK to leave the VM field blank in windows though).
#### Issue 3 - inter VM copy/paste doesn't work
Workaround: copy text in files and copy/move them accross VMs.
#### Issue 4 - creating Windows AppVMs based on a Windows TemplateVM
Problem: the private disk is present in the AppVM but QWT doesn't initialize it if it's empty (format + relocate user profiles). As a result user profiles aren't found at startup and the AppVM is stuck at "Preparing your desktop" for a 2-3 minutes until it timeouts. The vm is then barely usable because of the lack of user profiles.
Workaround (work in progress): copy the private disk of the TemplateVM to the AppVM - see [this ML thread](https://groups.google.com/d/msg/qubes-users/TJZQbB9CvrU/j6Zu1ZaJCQAJ)
Problem 2: Qubes doesn't copy a template VM's prefs when creating a VM so the new VM's prefs will be the "default" ones and won't be set properly for windows ; eg.
~~~
qvm-prefs winTemplate kernel -> ''
qvm-prefs winTemplate virt_mode -> 'hvm'
qvm-prefs winTemplate memory -> '2096'
qvm-create --template winTemplate --label red wintest
qvm-prefs wintest kernel -> '4.4.18-1'
qvm-prefs wintest virt_mode -> 'pvh'
qvm-prefs wintest memory -> '400'
~~~
Solution: set the preferences to match those of the templateVM.
#### Fixing QWT
See [this message](https://groups.google.com/d/msg/qubes-devel/tBqwJmOAJ94/xmFCGJnuAwAJ) from Marek.
* Networking isn't set up properly: use /qubes-primary-dns ; looks trivial (
https://github.com/QubesOS/qubes-core-agent-windows/blob/master/src/network-setup/qubes-network-setup.c)
* Copy/Move functions: fix the copy/move functions/gui not to require any argument (https://github.com/QubesOS/qubes-core-agent-windows/blob/master/core-agent-windows.wxs)
I can’t download the .rpm which’s needed in order to install QWT. The web page says 404 Not Found.https://yum.qubes-os.org/r3.2/current-testing/dom0/fc23/rpm/qubes-windows-tools-3.2.2-3.x86_64.rpm
Will the link be repaired? Is there a workaround?
Hi. I see you are trying to download a version of QWT for Qubes 3.2 (I guess that was not your intention).
https://yum.qubes-os.org/r4.0/current-testing/dom0/fc25/rpm/qubes-windows-tools-4.0.1-3.noarch.rpm
2 Likes
Thank you, I’ll try it. They should probably update the link in qubes issue #3585 .
I believe the attchment of QWT to windows10 is broken. So the best way to get them there I think is to download from https://ftp.qubes-os.org/qubes-windows-tools/ and then verify it.