Category: Windows OS-Level Issues

Set Priority of NICs/WNICs in Windows
article #1492, updated 3 hours ago

So we have the situation where we have multiple network interfaces, possibly including wireless, and we want to set priority, so if one is connected, that one will be used. Here’s a good working procedure, all in Powershell.

  1. Get list of interfaces with the Windows index number for each:
Get-NetIPInterface | ft ifINdex,InterfaceAlias,AddressFamily

Now we have a list of interfaces and names. Each interface device may have two listings, one for IPv6 and one for IPv4. What we want is the index numbers for the two. On one machine, “Ethernet” was index 12, and “Wifi” was 18, but there will be wide variation.

  1. Priority is higher, for lower numbers. So if we want to set high priority for wired Ethernet when it’s present, we could set priority 10:
Set-NetIPInterface -InterfaceIndex "12" -InterfaceMetric "10"
  1. and to make it stick and work predictably, we set Wifi to priority 100:
Set-NetIPInterface -InterfaceIndex "18" -InterfaceMetric "100"

Categories:      

==============

Install Edge browser via Powershell
article #1491, updated 10 days ago

This works well as of this writing. I imagine the URL will change in the future.

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
md -Path $env:temp\edgeinstall -erroraction SilentlyContinue | Out-Null
$Download = join-path $env:temp\edgeinstall MicrosoftEdgeEnterpriseX64.msi
Invoke-WebRequest 'https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/a2662b5b-97d0-4312-8946-598355851b3b/MicrosoftEdgeEnterpriseX64.msi'  -OutFile $Download
Start-Process "$Download" -ArgumentList "/quiet"

Categories:      

==============

Successes in DISM with sources specified
article #1488, updated 25 days ago

A number of friends and I have tried several DISM variations using non-Windows-Update (non-default) sources. Here are known successes. /LimitAccess means don’t use Windows Update.

The first one presumes that a different machine running the same OS is available on the network with C$ being the C: drive share. Reportedly, that share can be simply all of the files from a non-running install.

DISM /online /cleanup-image /restorehealth /source:\\ANOTHER_SERVER\C$\Windows /LimitAccess

The second one uses an OS install ISO; right-click it and choose Mount. G: represents the drive letter given:

DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:G:\Sources\Install.wim:2 /limitaccess

Many ISOs have more than one image within the .WIM file. To get the list of images (and numbers to put after the colon), run this:

DISM /Get-WIMinfo /wimfile:G:\sources\install.wim

You’ll notice, in the /Source:wim line above, that #2 is present, not #1. This is because, in a very common image recently used, it is image #2 which has most of the components, not #1.

After a DISM /RestoreHealth is successful, it appears to be best to run SFC /SCANNOW. To some extent, DISM appears to get the good stuff in, and SFC appears to put it where it needs to go.

Categories:      

==============

Renoberate & Clear Windows Logs
article #1482, updated 31 days ago

Recently it was discovered that a Windows server was running very slow because the Security log’s maximum size was set to 40 gigabytes. Here is a Powershell bit which will look at all event logs, set their max size to 2.5M if set larger, and clear them. Seems to free up a nice healthy dollop of performance in general.

wevtutil el | Foreach-Object {
	$LogObject = Get-WinEvent -ListLog $_
	If ( $LogObject.MaximumSizeInBytes -gt 2500KB ) {
		"$_ has max set to larger than 2.5M.  Setting to 2.5M."
		$LogObject.MaximumSizeInBytes = 2500KB
		$LogObject.SaveChanges()
		}
	wevtutil cl $_
	"$_ cleared."
}

There are times when an operation, a software install or configure perhaps, will error with “Cannot open log for source ———-. You may not have write access.” The below will do the above, and also give read/write to every local admin.

wevtutil el | Foreach-Object {
	wevtutil sl $_ "/ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)(A;;0x3;;;LA)"
	$LogObject = Get-WinEvent -ListLog $_
	If ( $LogObject.MaximumSizeInBytes -gt 2500KB ) {
		"$_ has max set to larger than 2.5M.  Setting to 2.5M."
		$LogObject.MaximumSizeInBytes = 2500KB
		$LogObject.SaveChanges()
		}
	wevtutil cl $_
	"$_ cleared."
}

The security string is written in something called SDDL. Some more info:

https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/

Categories:      

==============

Disable Windows Compatibility Telemetry
article #1370, updated 31 days ago

This can sometimes save a lot of CPU and/or disk cycles. There are a few things to do. First, we disable a buried Scheduled Task:

Either GUI,

  1. Open the Task Scheduler
  2. Open Task Scheduler Library, Microsoft, Windows, Application Experience.
  3. Disable Microsoft Compatibility Appraiser, with a right-click choice.

Or CMD,

schtasks /Change /Disable /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"

And second, we disable a service:

Disable the Windows service called Connected User Experiences and Telemetry Service, short name DiagTrack.

One can not disable this using the Microsoft-recommended Group Policy method. One can only set it to a “minimal” setting, which still will often eat resources. There is much web reporting which says one can do a disable by GPO, but this is not correct, it just disables GPO control over the situation.

Categories:      

==============

To manually enable TLS 1.2
article #1487, updated 34 days ago

From the excellent Brigg Bush. Do all of these in Powershell:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' –PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD'

Categories:      

==============

Fixing Windows Search
article #1486, updated 39 days ago

This page has some fixes that I haven’t seen anywhere else:

https://computerinfobits.com/why-is-windows-10-search-so-bad/

Categories:      

==============

Uninstall Windows applications via command line
article #1326, updated 95 days ago

This command:

wmic product where name="Application Name" call uninstall /nointeractive

appears to do it. Put the whole long name from the software list in Control Panel, within those double parentheses. This works in at least some cases where msiexec /x does not. And it is not version-specific.

To get a full list of names with GUIDs, try this:

get-wmiobject Win32_Product | sort-object -property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

Categories:      

==============

Microsoft Update Health Tools, and PSWindowsUpdate
article #1455, updated 111 days ago

The Microsoft Update Health Tools appears to be an optional add-on which helps Windows do updates. Beyond that all of my searching has come up with vagueness. But Microsoft recommends it and often installs it without informing us, so probably it helps fairly often.

Microsoft Update Health Tools comes in KB4023057. To install KB4023057, we can use PSWindowsUpdate:

www.business.com/articles/install-windows-patches-powershell/

Here’s a complete run-anywhere command paste for preparing to use the module (administrative shell only please):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Set-Executionpolicy RemoteSigned -Scope Process -Force
Install-PackageProvider -Name NuGet -Force -ErrorAction 'SilentlyContinue' > $null
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
If (Get-InstalledModule -Name PsWindowsUpdate -ErrorAction 'SilentlyContinue') {
	Update-Module -Name PSWindowsUpdate -Force
} Else {
	Install-Module -Name PSWindowsUpdate -Force
}
Import-Module PSWindowsUpdate

and the command for just KB4023057:

Install-WindowsUpdate -KBArticleID KB4023057

PSWindowsUpdate is a very interesting module all by itself, it can do lots of things, e.g., install all updates available from Microsoft. Another nice function is:

Reset-WUComponents

To get a full list of functions:

Get-Command -Module PSWindowsUpdate

Get-Help works for all of them.

One can install all updates available from Microsoft, though this can be dangerous, there are huge ones and drivers and BIOS too. So this simple command won’t be here :-)

To just see the list of available updates:

Get-WindowsUpdate

To install all available updates except one KB:

Install-WindowsUpdate -AcceptAll -NotKBArticleID KB000000

and except a list (here of two) KBs:

Install-WindowsUpdate -AcceptAll -NotKBArticleID "KB000000,KB000001"

where KB000000 is a KB to be excepted. There’s also -NotCategory and -NotTitle for items without KB articles.

Categories:      

==============

Intel NICs: New Dual-Install Approach
article #1467, updated 229 days ago

As of very recently, Intel has divided its NIC support installs into two steps, one being driver, and the other being PROset, software which supports the driver and the hardware. Both are recommended. Here is the page for Windows 10:

www.intel.com/content/www/us/en/download/18293/intel-network-adapter-driver-for-windows-10.html

Categories: