I’ve been meaning to post this from the time I built my Windows desktop. But I keep adding to the list of things I need to configure to get Windows 10 into a ”usable” state for me. Unlike with macOS - for which the default installation is well configured, secure, and pretty much good-to-go - the installation and setup of Windows is extremely painful and a terrible experience. I have to spend hours trying different methods to remove junk, disable telemetry, and secure Windows (and still fail)...

Disclaimer: Don’t do anything mentioned below. Read on at your own risk. Everything below is super dangerous! Hence the use of the word “hack” in the title, although we are really just configuring Windows the way Microsoft many not want most users to.

Installation

  • Do not enable Ethernet and do not connect to your Wi-Fi when prompted - without an Internet connection, Windows does not ask for a Microsoft account login.
  • Post-install, remove unwanted Windows components with Windows 10 Debloater.
  • And I also disable most live tiles in the Start Menu - and in many cases I directly Uninstall where possible.

Task scheduler

Even after running the debloater above, I noticed Tasks still present which I disabled:

  • OneDrive Standalone Update Task and XblGameSaveTask - I don’t use OneDrive nor do I have an XBox.
  • All Nvidia scheduled tasks, e.g. NvBatteryBoostCheckOnLogon and NvTmRep_CrashReport# (also see below).
  • Firefox Default Browser Agent task - and/or disable the default browser check in Firefox.
  • For the tasks in the Microsoft folder, I disabled what I didn’t think I needed:
    • Under Active Directory AD RMS Rights Policy,
    • Autochk > Proxy,
    • All the stuff under CloudExperienceHost, Customer Experience Improvement, Feedback, Flighting.
    • DiskDiagnostic> DataCollector since it relates to the Customer Experience Program above (I left the the Resolver for S.M.A.R.T. enabled)
    • HelloFace which I don’t use,
    • Everything to do with Sync under Input and International
    • LanguageComponentsInstaller
    • Location which I totally disabled where possible
    • Under Management > Provisioning > Cellular and Mobile Broadband Accounts
    • Since I uninstalled Maps, so I disable that section too
    • Printing > EduPrintProv - sounds weird
    • Under Shell, the two items related to FamilySafety
    • TimeZone synchronization - quite meaningless for a desktop that does not go anywhere
    • Windows Error Reporting
    • And, also maybe under Windows Orchestrator (more on this later)

Task Scheduler

Windows Telemetry

Normally, one would head to the Control Panel / Settings

  • Disable as you see fit in the Privacy section - I mostly turn off everything on-line (Advertising ID, Locally relevant content, Suggested content, Online speech recognition, Send my activity history to Microsoft)
  • While here, also have a look at Apps > Startup and similarly under Task Manager > Startup, to disable the undesired.
  • Diagnostics & feedback has to be Required diagnostic data at the lowest setting (i.e. level 1 - Required).

However, it may be possible to set to the lower level 0 - Security [Enterprise Only] if you are using certain editions of Windows. Microsoft’s documentation says:

When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows 10 Enterprise, and Windows 10 Education.

  • Run Edit Group Policy, and under Computer Configuration, right-click on Administrative Templates > Filter Options....
  • Search for telemetry and then review All Settings.
  • Of note is Allow Telemetry, here you can Enable a policy to set it to 0 - Security [Enterprise Only] (the impacted registry key is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection which is a DWORD).
  • You may of course, set other policies as you see fit.

Also in Administrative Templates > System > Internet Communication Management > Internet Communication settings is “Turn off Windows Customer Experience Improvement Program” to enable.

Services

One could also try disabling unused services - as long as one is sure they are not needed. For me, I mostly leave them as-is, except for some services I never want activated especially if its to do with remote access. At minimum, I disable:

  • Connected User Experiences and Telemetry (aka DiagTrack)
  • Downloaded Maps Manager
  • Internet Connection Sharing
  • IP Helper (if not using IPv6)
  • Network Connected Devices Auto-Setup
  • Phone Service

Services

A Google search will give you more information! Alas, Black Viper’s Windows 10 Service Configurations is no longer updated.

Start-up and Background Apps

Startup tasks are easy, everyone by now knows to run Task Manager and disable stuff in the Start-up tab. The old msconfig also points to Task Manager nowadays.

But with Windows 10, there are also Background Apps. I can no longer distinguish what are Services, Scheduled Tasks, startup programs, and Background Apps - so I set Let apps run in the background off, as it is mostly a list of MS crap anyway.

Windows Settings

The easy stuff - set Windows Explorer > Options to your preferences, e.g. View > Open File Explorer To This PC:

  • Show hidden files,
  • Show extensions, and
  • Expand to open folder (why isn’t this the default behaviour?)

There is a way to find most of the settings UIs - via what is referred to as God Mode. Windows has a bad habid of hiding settings everywhere (though Macs are similar in this regard, by hiding menu items behind the Option... although fans would say that is exactly what “Option” key is for). Anyway:

  • Create a folder,
  • Name it GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} (feel free to change the filename, just leave the second part, the GUID after the . exactly as it is).
  • Double click to open it...

God Mode

Finally, other settins are hidden in the Registry. There are tools to help, but I just do these manually:

  • Modify HKEY_CURRENT_USER\Control Panel\Desktop\WindowsMetrics to shrink down the title bar height as desired
  • Set CaptionHeight -15 x pixels, e.g. 18 pixels = -270,
  • Set ScrollWidth and ScrollHeight, default is -255, and -100 will make it thinner
  • Remove 3D Objects, Pictures, Music and Videos virtual folders from Windows Explorer, by using RegEdit to delete these keys from two locations for Windows 10 64-bit, where:
    • MS = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace and
    • Wow = HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
Virtual Folder MS Keys Wow Keys
3D Objects {0DB7E03F-FC29-4DC6-9020-FF41B59E513A} {0DB7E03F-FC29-4DC6-9020-FF41B59E513A}
Music {3dfdf296-dbec-4fb4-81d1-6a3438bcf4de} {3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}
Pictures {24ad3ad4-a569-4530-98e1-ab02f9417aa8} 24ad3ad4-a569-4530-98e1-ab02f9417aa8}
Videos {f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a} {f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}

Registry Editor

Added 2 Jun 2022:

Speaking of the registry, there a many URL schemes / URL protocol handlers that could be potential exploit vectors, similar to the “Follina” exploit. In Microsoft’s own Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability, since there is no solution, the workaround is to delete the offending URL scheme:

Running Command Prompt as Administrator, delete the scheme ms-msdt:

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Here is another Microsoft CVE involving the ms-appinstaller URL scheme Windows AppX Installer Spoofing Vulnerability. Good grief, you would have thought we’d know by now not to permit software installation from random, untrusted web sites?

Sleep

My computer was waking from sleep periodically - and being a desktop, it sounds like a jet engine when waking (4 case fans, 1 CPU fan, 1 PSU fan at 100% for a brief moment during boot). I am so used to sleeping my Macs but Windows is so stupid that I nowadays power off every time.

Anyway, one can try to “fix” properly sleeping:

  • In Task Scheduler, disable Microsoft > Windows > Update Orchestrator > Reboot_AC / Reboot_Battery and change Security to remove “Write” permissions for everyone, or else Windows will re-enable this! Refer to StackExchange for details.
  • Using Edit Group Policy (gpedit), navigate down Computer Configuration > Administrative Templates > Windows Components > Windows Update, and disable “Enable Windows Update Power Management to automatically wake up the system to install scheduled updates”.
  • Head over to the Control Panel:
    • Under Power & Sleep > Advanced Power Settings > “Allow Timers on Wake” and set to Disable or Important Timers Only.
    • And under Security and Maintenance > Maintenance, hit Change Maintenance Settings and disable “Allow scheduled maintenance to wake up my computer at the scheduled time” (which is 2 am by default).

Local Group Policy Editor

If this does not work, and your computer still wakes , try to troubleshoot with (source: HelloTech):

  • powercfg /requests (must run Command Prompt as administrator) - list processes preventing sleep
  • powercfg /lastwake - show process or input device that last woke the computer
  • powercfg /waketimers (admin) - list wake timers set e.g. backup, updates, start menu widgets, etc.
  • powercfg /devicequery wake_armed - list input devices that wake from sleep, e.g. keyboard, mouse, USB:

Whatever the last command lists may need to have its power management setting changed - search from the offending device (e.g. your mouse) under Device Manager, and under its Properties > Power Management, uncheck “Allow this device to wake the computer”.

Bluetooth

On the topic of power management, I get frequent disconnects when using my bluetooth speakers. Often it happens when I hit pause or stop, or after a time of usage, be it YouTube or VLC. There is something seriously buggy about Microsoft’s Bluetooth implementation, as evidenced by many, many complaints on-line.

Some netizens suggest disabling Power Management from the Bluetooth driver. But Microsoft, in their wisdom, is dumb enough to remove the tab to do exactly this in a recent update. Other suggest adding a new DWORD CsEnabled=0 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power. I totally messed up by system by re-trying to pair, adding and removing drivers, updating to Intel drivers, etc. And now I have devices named #2 and worse, I have given up using my Bluetooth speakers.

In addition, there is also Fast Startup which may or may not affect Bluetooth. Microsoft is being obtuse, such that Shutdown no longer shutsdown the computer, and only Restart really starts a fresh (clean) copy of the OS. But that means it is impossible to shutdown (as the workaround is a restart-shutdown sequence).

Micrsoft’s own documentation amits that “Updates may not be installed with Fast Startup in Windows 10” (date July 2020 and as of March 2021 has not been addressed) - they say “full shutdown only occurs when you restart a computer” but not tell you how. So stupid. Anyway, I turn it off.

Sigh, moving on...

Nvidia

As mentioned, I disable a bunch of scheduled tasks via Task Scheduler - they are named NvProfileUpdater... or NvTm... depending on the device, per ghacks.net and How-To Geek.

For Services, disabling NVIDIA Display Container LS disables the Nvidia Control Panel (and notification tray icon) while disabling NVIDIA Local System Container disables GeForce Experience.

I don’t touch this, but some people do advise Control Panel > Global Settings:

  • Image sharpening = On with GPU scaling
  • Low latency mode = On
  • Texture filtering = Performance
  • Power management mode = Optimal Power (default), as Adaptive does not really do much.

Search the internet for other guides to remove telemetry and login, like this one by BaiGfe

Users

It is now annoyingly difficult to create local users, as the Settings and Control Panel links all lead to creating an on-line Microsoft account. This is ridiculous!

To create secondary users (e.g. for file sharing or for logging in with least privilege), the workarounds are either:

  • creating them from Computer Management under Local Users & Groups, or
  • using the CLI net user /add

Computer Management

Firewall and Tamper Protection

A majority apps make Internet coneections nowadays, even when not explicity told to, so:

  • Use netstat -a to list connections and look for those ESTABLISHED to Internet addresses.
  • And netstat -b to list the programs making those connections

Some apps prompt to add firewall exceptions, and I am more interested in locking down Outbound Rules than inbound ones, under the Windows Defender Firewall with Advanced Security wf.msc console. I cannot really make recommendations here, but one could look at enabled Outbound Rules, and change Allow the connection to Block the connection for anything that sounds fishy, say Connected User Experiences Telemtry or Unified Telemetry Client Outbound Traffic...

Windows Firewall

Speaking of which, I do not trust Microsoft to search the Internet for me via the Start Menu. If you did not get rid of Cortana (does not work in my region anyway), you may want to disable Search online or Cloud content search. Yes I know Spotlight does a similar thing!

I am in two minds about using Tamper Protection because Microsoft’s logic is all screwed up and the opposite of the way I work! I want to define custom folders to protect where I store documents, photos, etc. BUT I want to allow “My Documents” and other known locations - but this can’t be done. The reason is “My Documents,” etc. is required by nearly all software and game (even for save games), and for this reason I never keep my files in these locations! They get too messy, and by keeping my files on other drives and in know locations (to me anyway, e.g. X:\Docs or X:\Photos), I can easily back them up. Which brings me to my next gripe:

Other Tracking

As a principle, data sharing should always be opt-in, never as an opt-out option - I consider this a dark pattern! I do appreciate that developers do need data for debugging, and I do appreciate “free” is often “ad-supported”... however, that does not imply permission to my “data”, consent to be tracked via personally identifiable tokens, and/or selling said data other companies.

So, some personal preferences are:

My browser of choice is Firefox with Multi-Account Containers Extension installed and Total Cookie Protection (Strict mode) enabled:

  • for example, I use Multi-Account Containers to separate work from personal tabs. I use a container for Google Search and YouTube (un-authenticated / no login), and a separate one when I am logged in for Google mail or drive.
  • Under Privacy & Security, disable data collection.
  • Disable scheduled task to check default browser about:config > default-browser-agent.enabled = false.

I still use Visual Studio Code (and yes I know VSCodium exists), but I configure it as follows:

  • search for and disable telemetry and crash reporter
  • similarly disable On-line Services Settings like Experiments and Natural Language Search.

Miscellaneous

I do not like that F11 makes apps full screen, it’ too close to the Backspace and I often hit it by accident. Ditto for F12. My programmable keyboard cannot remap the function keys, nor can SharpKeys i.e. I can change F11 to Volume Down, but I cannot change Fn+F11 back to F11 (this combination is not sent to Windows, it runs Explorer somehow without sending scan code E0_6B).

But certain applications may have configurations that can help:

For the Command Prompt, the only way to disable the new full screen hotkey is to revert to Use legacy console under Properties.

Other related posts:

Updated 21 Mar 21: Disable background apps, SharpKeys... Updated 2 Jun 22: Deleting unwanted URL schemes in the registry, in response to the Zero-Day Follina exploit.

❮ Older
Newer ❯