Upgrade your top ten! Configuring Windows 10 for a safe and comfortable work.

BadB

Professional
Messages
1,711
Reaction score
1,719
Points
113
dd1f413bfb7c5a6884e37.png


In its development, Windows has come a long way from a graphical add-in over MS-DOS to a client add-in over a Microsoft cloud service. It will hardly be possible to turn it into a full-fledged operating system, but if you tweak the deep settings, it will become a little safer and not so wayward.

Before experimenting with the registry and services, we advise you to create a restore point, or even better - make a full backup of the system partition.

Back up the registry​

One way to make a backup of the registry is to run REG EXPORT in the console.

reg export HKLM hklm_backup.reg

hklm_backup.reg With this command, we set the creation of a file with all the information from the branch HKEY_LOCAL_MACHINE. Similarly, we repeat the command for other registry branches (see screenshot).

Create a registry backup.

You can also backup individual keys before changing them. If something goes wrong, you can always roll back your changes by simply running the .reg file.

We get access to the registry​

Programmers riveted dozens of different system tweakers. All of them promise miracles and work opaquely, but in reality all their functions boil down to three simple things:
  • changing individual registry keys;
  • stopping unclaimed services;
  • deleting or adding scheduler tasks.
Often these procedures are interconnected. For example, a running service will not let you delete its registry key or automatically restore a canceled task in the scheduler. Therefore, we will consider each task in detail, not limited to standard recommendations.

Let's start by getting access to the registry. This is a separate issue in newer Windows, especially version 10. By default, the administrator cannot change the values of keys in many registry branches or delete files at his own discretion. He's kind of like the boss, but not really.

The typical scheme for managing Windows access privileges surprises Linux users by the fact that the system has higher privileges than any account in the admin group. In the default settings, SYSTEM can do everything, and Administrators can only do what is allowed.

There are various hacky ways to correct this misunderstanding, but most of them leave a hole in the system and reduce security instead of increasing it. Therefore, we will consider more accurate methods. Regardless of the object (registry key, file, directory), you first have to take ownership of it and only then assign yourself access rights.

Method 1 - via regedit​

The convenience of this method is that it does not require additional installation of any software. The inconvenience is the need to set permissions for each specific key through the graphical shell. Although to some, on the contrary, it will seem convenient.

Change owner for Cortana.

Just run regedit from the admin, select the desired key and in the context menu (called by the right mouse click) go to the "Permissions" parameter, where we change the owner and then register any permissions.

Set permissions to change Cortana settings.

Method 2 - through the standard utility SubInACL​

Download the SubInACL utility from the Microsoft website. Windows 10 is not on the list of supported operating systems, but don't let that confuse you. They checked it works. Just remember that the program must be run from the console as an administrator. To do this, it is more convenient to first copy it SubInACL.exe to the Windows system directory ( %Windir%\System32\), so as not to drive in the path to the executable file every time.

Copy SubInACL to the system directory.

Next, for SubInACL you need to specify the name of the modified object, its type and the desired action. An object can be one of the following types: file, directory, specific registry key (keyreg), or a registry entry with all its child keys (subkeyreg).

As usual, before you can assign rights to an object, you need to take ownership of it. It is easy to combine two actions into one command by listing them separated by a space. For example, the following command will first make the Administrators group the owner of the AutoLogger key (he is responsible for tracing events that occur during the initial stages of OS boot), and then give the admins full access to it.

SUBINACL / keyreg "HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ WMI \ AutoLogger" / setowner = XTester / grant = XTester = f

Instead of XTester substituting your account name everywhere.

Using objects of type subkeyreg, it is easy to completely unlock the registry. Just list its root branches like below:

subinacl / subkeyreg HKEY_LOCAL_MACHINE / grant = XTester = f

Etc.

An example of using SubInACL

Similarly, in one command, we become the owners of all files and directories on the specified disk.

subinacl / subdirectories% SystemDrive% / grant = XTester = f

Method 3 - via the third party free SetACL utility​

In general, the method is similar to using the standard SubInACL utility. The differences are minimal.

First, download the freeware software.

Unpack the archive and copy the file from it SetACL.exe to the directory %Windir%\System32(or 64). Then we launch the console from the admin and call SetACL. The complete syntax for using this utility is described in the manual. Brief help is called when starting with a key help.

The utility logic is the same as for SubInACL: you need to specify the name of the object, its type and action. Only in the case of SetACL it is better to do it with separate commands. For example, the command below will make the specified user (XTester) the owner of the auto logger key.

SetACL.exe -on "HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ WMI \ AutoLogger" -ot reg -actn setowner -ownr "n: XTester"

The next command will give the specified account full access to this registry key, that is, it will allow you to change it.

SetACL.exe -on "HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ WMI \ AutoLogger" -ot reg -actn ace -ace "n: XTester; p: full"

Using SetACL to Set Permissions.

After you have got the opportunity to change any registry keys, it's time to start modifying it.

Disable Cortana​

Cortana is highly integrated into the system. It deals with the search engine, privacy policies, and so on. Therefore, there are many entries about it in the registry, and with each build of Windows 10 there are more and more of them.

After "unlocking" the registry, any key can be easily changed via regedit. When there are many of them, it is more convenient to create a batch file and change them all in bulk from the console.

reg add "HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows \ Windows Search" / v "AllowCortana" / t REG_DWORD / d 0 / f

Disable data collection​

Under the guise of collecting "diagnostic" data, Windows 10 transfers gigabytes of data to Microsoft, some of which may be confidential. In fact, this is something like a built-in keylogger.

To get rid of this dirty trick, first stop the background services. This can be done via a snap services.msc or directly from the console.

net stop DiagTrack

Stop the telemetry service
sc config DiagTrack start = disabled

Disable auto start telemetry service
net stop dmwappushservice

Change any registry keys via the console or regedit
Further, by analogy, we stop the services and prohibit their autostart:
  • diagnosticshub.standardcollector.service;
  • DcpSvc;
  • WerSvc;
  • PcaSvc;
  • DoSvc;
  • WMPNetworkSvc.
The list of services is always selected individually, but first of all, we consistently disable:
  • DiagTrack (service for sending "diagnostic" data);
  • Diagnostics Hub Standard Collector (Microsoft Diagnostics Center Collector Service)
  • dmwappushservice (WAP push message routing service).
Now it's time to tweak the registry.

reg add "HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows \ DataCollection" / v AllowTelemetry / t REG_DWORD / d 0 / f

Just save everything as a script (.bat or .cmd) and comment out those lines that you consider unnecessary on a particular computer.

Disable unsafe services​

Any service is theoretically insecure, but there is a known list of services that leave gaping holes in Windows 10. You can also stop and disable their autoload using net stop and sc config. I'll just list them here so as not to overload the article with commands with repetitive syntax:
  • RemoteRegistry;
  • TermService;
  • TrkWks;
  • DPS.
If you are using Windows 10 on a computer, then it is better to disable the useless collection of information from sensors of mobile devices:
  • SensorDataService;
  • SensorService;
  • SensrSvc.
If you are not using Xbox, you should also disable Xbox-related services:
  • XblAuthManager;
  • XblGameSave;
  • XboxNetApiSvc.
Optionally, disable the remote assistant via the registry:

reg add "HKLM \ SYSTEM \ CurrentControlSet \ Control \ Remote Assistance" / v "fAllowToGetHelp" / t REG_DWORD / d 0 / f

Disable administrative balls, if necessary.

reg add "HKLM \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters" / v "AutoShareWks" / t REG_DWORD / d 0 / f

Set automatic cleaning of the paging file​

To avoid leaking passwords and other sensitive data, it is best to regularly flush the paging file on reboots and shutdowns.

reg add "HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ Memory Management" / v "ClearPageFileAtShutdown" / t REG_DWORD / d 1 / f

Disable autorun from removable media​

reg add "HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer" / v "NoDriveTypeAutoRun" / t REG_DWORD / d 255 / f

Erasing history​

Disable saving lists of recently opened files:

reg add "HKCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer" / v "ShowRecent" / t REG_DWORD / d 0 / f

Disable the maintenance of the history of search queries:

reg add "HKCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Search" / v "DeviceHistoryEnabled" / t REG_DWORD / d 0 / f

Disable history for applications:

reg add "HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows \ AppPrivacy" / v "LetAppsAccessCallHistory" / t REG_DWORD

Remove pre-installed applications​

Removing built-in components in Windows 10 does not always happen in an obvious way, but any task is solved through the console. First, we nail the process of the application we do not need, and then we uninstall it. Using OneDrive as an example, it looks like this:

taskkill / f / im OneDrive.exe

Remove OneDrive.

Setting up automatic creation of restore points​

It is convenient to create restore points automatically using the Windows Management Instrumentation (WMI) command line utility.

Just set up system recovery once, and then create a batch file with the following line:

Wmic.exe / Namespace: \\ root \ default Path SystemRestore Call CreateRestorePoint "% DATE%", 100, 1

Hang it up in the task scheduler, and it will start on the specified schedule and automatically create new restore points according to the settings you specified in the first stage.

God mode (make a quick call to any settings)​

Many settings in Windows 10 are hidden so deep that you can navigate the graphical menus for half a day. It is much more convenient to call them all with one click through a single shortcut. This technique is called "god mode" and is simple: just create a new folder on the desktop with the name

Write HereWhat is suitable. {ED7BA470-8E54-465E-825C-99712043E01C}

It's all!

Add "god mode"
After pressing Enter, the folder icon will change to the system one and its name will be hidden. When you click on it, a list of more than two hundred settings in alphabetical order will be loaded. The beauty!

Disable auto-updates​

You can also relieve Windows of the habit of downloading and installing updates whenever the system pleases, and not you, through the registry.

reg add "HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate \ AU" / v "AUOptions" / t REG_DWORD / d 2 / f

After that, it remains possible to receive updates manually.

reg add "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ DeliveryOptimization \ Config" / v "DODownloadMode" / t REG_DWORD / d 0 / f

Auto-update disabled

Removing scheduled telemetry tasks from the scheduler​

They consist of sections Customer Experience, Cloud Experience, Application Statistics, File Statistics, Disk Diagnostics, Energy Efficiency Diagnostics, Family Safety Monitor, Network Information Gathering and many others.

All of them are available through the console command schtasks, which must first be run with the key end to stop the task. Then we re-launch it already with the key change, specifying the tn appropriate name after (task name).

For example, the command
schtasks / end / tn "\ Microsoft \ Windows \ FileHistory \ File History (maintenance mode)"

will end the Collect File Usage Statistics task, and the following command will disable it:
schtasks / change / tn "\ Microsoft \ Windows \ FileHistory \ File History (maintenance mode)" / disable

Here is a list of the rest of the telemetry tasks:
  • Microsoft \ Windows \ AppID \ SmartScreenSpecific
  • Microsoft \ Windows \ Application Experience \ AitAgent
  • Microsoft \ Windows \ Application Experience \ Microsoft Compatibility Appraiser
  • Microsoft \ Windows \ Application Experience \ ProgramDataUpdater
  • Microsoft \ Windows \ Application Experience \ StartupAppTask
  • Microsoft \ Windows \ Autochk \ Proxy
  • Microsoft \ Windows \ CloudExperienceHost \ CreateObjectTask
  • Microsoft \ Windows \ Customer Experience Improvement Program \ Consolidator
  • Microsoft \ Windows \ Customer Experience Improvement Program \ BthSQM
  • Microsoft \ Windows \ Customer Experience Improvement Program \ KernelCeipTask
  • Microsoft \ Windows \ Customer Experience Improvement Program \ UsbCeip
  • Microsoft \ Windows \ Customer Experience Improvement Program \ Uploader
  • Microsoft \ Windows \ DiskDiagnostic \ Microsoft-Windows-DiskDiagnosticDataCollector
  • Microsoft \ Windows \ DiskDiagnostic \ Microsoft-Windows-DiskDiagnosticResolver
  • Microsoft \ Windows \ DiskFootprint \ Diagnostics
  • Microsoft \ Windows \ FileHistory \ File History (maintenance mode)
  • Microsoft \ Windows \ Maintenance \ WinSAT
  • Microsoft \ Windows \ NetTrace \ GatherNetworkInfo
  • Microsoft \ Windows \ PI \ Sqm-Tasks
  • Microsoft \ Windows \ Power Efficiency Diagnostics \ AnalyzeSystem
  • Microsoft \ Windows \ Shell \ FamilySafetyMonitor
  • Microsoft \ Windows \ Shell \ FamilySafetyRefresh
  • Microsoft \ Windows \ Shell \ FamilySafetyUpload
  • Microsoft \ Windows \ Windows Error Reporting \ QueueReporting

Conclusion​

On the Internet, you will find a lot of programs whose authors promise to "make Windows work better." They usually act like a black box, performing unknown actions. All their functions can be replaced with a set of body shirts, the creation of which is described in this article.

Creating your own set of scripts will take a little pain, but only once. Then everything will be performed according to the schedule (through the scheduler) or upon request in one click.

The main thing is that you will always know for sure what exactly changes in the registry and the operation of system services. In addition, while working in the console, you will deepen your knowledge of Windows 10 and can perform similar tasks with your bare hands anywhere.
 
Top