Windows PE / 10PE / LiveCD / Boot CD / USB for PC Repair and Hardware Testing
article #1013, updated 5 days ago

Many old friends, e.g. Hiren’s and UBCD4Win, are no longer in development, and do not boot on quite a lot of newer hardware; for a while there was no clear replacement. But there is Medicat, which is Linux-based:

and there is a new Hiren’s renaissance:



Windows password reset tool
article #1546, updated 5 days ago

There is a renaissance of Hiren’s Boot CD, called Hiren’s Boot CD PE:

Today (2024-02-12) my up-to-date Lazesoft could not reset a Windows password, but when I booted into the above, loaded drivers using the embedded Lazesoft, and then reset the password using the NT password edit/reset tool, it worked. There’s also a way to build the bootable with custom driver additions.



Prevent ROBOCOPY from Hiding Files
article #1579, updated 5 days ago

When you copy an entire folder with ROBOCOPY, sometimes it hides files. Use this on the end to prevent:



article #1578, updated 13 days ago

This is the Internet DNS name of a Microsoft server. On a Windows operating system, immediately before any and all of a wide variety of things occur, the machine will contact this server for some bandwidth and connectivity tests.

There are often issues with this. If attempt is made and fails, Windows may throw up a popup in the lower-right corner, asking for a mouse-click. Sometimes DNS servers lack this record for some reason, causing odd and unusual troubles. There have been other consequences.

There are ways to turn this off altogether. So far testing has found zero gotchas for shutting it off, it is not clear whether it is essential. The simplest way to do so, is probably to enable this item in local or domain group policy:

Computer Configuration
Administrative Templates
Internet Communication Management
Internet Communication settings
Turn off Windows Network Connectivity Status Indicator active tests



Major performance boost: Disable NETBIOS and related on all Windows NICs
article #1557, updated 18 days ago

NETBIOS is a very legacy protocol, security of it is very poor. Substantial performance gains by disabling it have been noticed. This is probably because when active it broadcasts constantly to every single NIC on its LAN, creating NIC and switch contention. Also, a large proportion of security violation exploits use it, so disabling becomes a very good idea in general. The only exceptions occur when there are needs to do SMB sharing with very old machines, machines all long out of support. By default, it is still active on all current Microsoft Windows operating systems.

Here is a paste to Powershell that does it all:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = [UInt32](2) }

Get-WmiObject Win32_NetworkAdapterConfiguration | Invoke-WmiMethod -Name SetWINSServer -ArgumentList @('','')

$nicall = [wmiclass]'Win32_NetworkAdapterConfiguration'

The various bits are below.

Turn off NETBIOS over TCP/IP, for each NIC:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Where-Object -Property 'TcpipNetbiosOptions' -ne $null | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = [UInt32](2) }

Get rid of all WINS entries, if present (sorry, no CimInstance code yet):

Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Invoke-WmiMethod -Name SetWINSServer -ArgumentList @('','')

Uncheck of LMHOSTS lookups:

$nicall = [wmiclass]'Win32_NetworkAdapterConfiguration'

If Microsoft DHCP is in use, DHCP can tell clients to do the simple disable, the first item above:

Below is another script, to reenable the protocols, though it does not try to put back any WINS server IPs that may have been deleted, and it cannot override Microsoft DHCP:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = 0 }

$DisableLMHosts_Class=Get-WmiObject -list Win32_NetworkAdapterConfiguration

And if you want to combine the above with a new Microsoft standard preventing Windows port exhaustion:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = [UInt32](2) }
Get-WmiObject Win32_NetworkAdapterConfiguration | Invoke-WmiMethod -Name SetWINSServer -ArgumentList @('','')
$nicall = [wmiclass]'Win32_NetworkAdapterConfiguration'
netsh int ipv4 set dynamic tcp start=49152 num=16384
netsh int ipv4 set dynamic udp start=49152 num=16384



Free Wifi Analysis Software for Windows and MacOS
article #1577, updated 19 days ago

Just learned about this:



Appx Cleanup for Windows 10/11 Performance
article #1561, updated 21 days ago

Appx’s are a method used for application install, first delivered in Windows 8.1. There are a lot of builtins which take live system resources in hidden fashion, usually not showing up in Task Manager very much or at all. And there have been a lot of changes in this over recent years. Here’s an overview of items for cleanup as of this writing. One can free a lot of resources on machines this way.

The first thing to know is that many appx’s are “provisioned”, they are embedded in the current (“online”) DISM image, and will be automatically activated whenever a new user profile is made. To get a list of these:

Get-AppxProvisionedPackage -Online | Sort-Object | ft DisplayName, PackageName

To remove several of these that I like to have gone in business desktops:

#Begin Script
$PackageNames =  @(

$RemovalItems = Get-AppxProvisionedPackage -Online | 
	Where-Object { $PackageNames -contains $_.DisplayName }

foreach ($Removals in $RemovalItems)
	$RemovalName = $Removals.DisplayName
	"Removing $RemovalName from provisioning..."
	Remove-AppXProvisionedPackage -Online -PackageName $Removals.PackageName

$RemovalItems = Get-AppxPackage -allusers | Where-Object { $PackageNames -contains $_.Name }

foreach ($Removals in $RemovalItems)
	$RemovalName = $Removals.Name
	"Removing $RemovalName from user-level install..."
	Get-AppxPackage $Removals.Name -AllUsers | Remove-AppxPackage -Allusers
# End Script

The above first gets rid of the provisioned, then the user-level for all user profiles, for the whole list. There are some for which Microsoft prevents all removals; errors are thrown for these.



New public DNS: NextDNS
article #1566, updated 21 days ago

Appears to be very very good. Better ping than many from some major ISPs. Also very sophisticated and configurable, and considerably less expensive for the features, than some.



Automate install of HP drivers and firmware
article #1576, updated 43 days ago

HP Support Assistant is the oft-default tool, not suitable for automation; but there is the HP Image Assistant:

So far this looks like the way forward. Early testing done, not thorough yet. It has a GUI for default use, but also has command line usage. Download the installer, complete it, CD to the folder it created in command-line, and run HPImageAssistant.exe for nice GUI. Documentation is here:

Several command-line examples are in that PDF. This command does a lot of very good things, very silently:

.\HPImageAssistant /Operation:Analyze /Category:All,Accessories /selection:All /action:Install /silent /reportFolder:c:\HPIA\Report /softpaqdownloadfolder:c:\HPIA\download



Clear System Volume Information (and Disable Sentinel One)
article #1438, updated 46 days ago

The hidden NTFS “System Volume Information” folders on Windows machines, can build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. SpaceSniffer is my favorite method of identifying this situation, but there are many. The only preventative I have been able to identify so far, is here.

But here we are discussing cleanup. If you have SentinelOne (S1) installed on this machine, you need to know that S1 considers deletion of volume shadows to be very bad actor behavior. This is because it often is a way that cryptolockers and others delete last-known-good checkpoints. S1 will not let you clear SVI, unless you disable it first, and it will complain very loudly if you try. Instructions for disabling S1, are at the end of this article. There may well be other security tools which will behave similarly, and need similar interaction beforehand.

General cleanup steps:

  1. This command usually gets all of them: wmic shadowcopy delete /nointeractive
  2. Very rarely, this will get a few more: vssadmin delete shadows /all
  3. And even more rarely on a server only, the above two don’t get it done, and this is needed:

    then within diskshadow’s command line: delete shadows all

Any of these can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (the first and third methods tell you the count) from one server.

Special case cleanup steps

Special cases do occur. Here are steps which can help a lot.

  • Sometimes the steps above quit in the middle. Start them over again. Often they’ll complete.
  • If the above does not completely solve the situation (if the SVI folder is still huge), do vssadmin resize shadowstorage for the relevant drive(s) (try /? for syntax…), first to 10%, then back to whatever it was. Sometimes Windows will do a lot of steady cleanup for you, sometimes over hours of time. You’ll see it by watching File Explorer.
  • Run CHKDSK /F at reboot. Then start from the beginning :-)

To disable SentinelOne:

  1. First get the Passphrase for the machine, from the S1 console. It’s under Actions, you can choose Show Passphrase. Do be aware that your S1 admin may receive a notice that you have asked for this.
  2. cd "C:\Program Files\SentinelOne\Sentinel*"
  3. Please put the actual passphrase in, and the quotes are necessary:
    .\sentinelctl.exe unload -slam -k "<passphrase>"

Then, and only then, will the cleanup commands above work.

To reenable S1:

  1. .\sentinelctl.exe load -slam

If you should need to reenable S1 and your command prompt is not where you need it, here’s a paste:

cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe load -slam