dotfiles/dotfiles/windows

Windows Setup

• Disable Microsoft's piece of shit Secure Time Seed (STS) because it can result in insane system clock times that wreck havoc.

  • Open regedit and go to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
  • Set UtilizeSslTimeDat to 0 and reboot.

• Disable Windows Platform Binary Table

  • This is a system Windows made for hardware vendors to inject firmware to the OS drive, running it at boot time. It's a huge security hole! Vendors can do things like download software, auto update the mobo firmware, etc. In 2023, Gigabyte was caught using this to download exe's from their server over an http connection! (keep in mind that they're corporate systems have been hacked multiple times in the last year). Anyway, this feature is fucking dumb and you can be sure that all mobo vendors are using this stupid shit. I don't blame them though since Microsoft built this for them. There's no way to stop this from happening other than to disable the platform entirely.
  • Open disable-windows-platform-binary-table.reg and reboot.

Make a system restore point before proceeding.

• Change PC name

  • Open settings -> System -> About -> Rename this PC
  • Reboot

• Optionally target a specific Windows release for updates

  • Useful when you want to stay on a specific release or install one that isn't yet available to you, e.g. running Win10 21H1, want 22H2.
  • If you don't care and just want Windows to give you the release when your system is selected then you probably want to disable the policy instead of leaving it as "not configured". I wasn't getting 22H2 and Windows Update claimed this policy was in use. I had to target 22H2 to get it and then I left the option disabled. So, you might want to try disabled from the get-go and see how it plays out.
  • Group policy editor:
    • Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business
    • Enable Select the target Feature Update version, set the product to Windows 10 and the version to 22H2 or whatever you want.
  • Now check for new Windows updates, should pick up the target version.

• Review trusted root certificate authorities

  • Open the Microsoft Management Console (win+r, mmc)
  • File -> Add/Remove Snap-in -> Certificates -> Add
  • Choose Computer Account -> Next -> select Local computer -> Finish -> OK
  • Expand the cert tree -> click on Trusted Root Certificate Authorities -> Certificates
  • Before deleting a certificate, export it as a backup in case it's needed for system operation. Can also make a restore point before making any changes.
    • Note: I'm putting exports in backups/windows_certificates

• Maybe disable swapfile

  • Not a good idea to have this turned on for SSDs since it's extra writes, and writing to an SSD degrades the drive. Probably best to put this on a spinning disk. It's unclear if it's a bad idea to entirely disable on Windows 10 & 11. You likely won't have an issue if you have lots of RAM, but apparently its used for other things like sleeping apps, kernel dumps, etc. It's possible that disabling it will affect your PC performance. Whether that's noticeable is something I'm unsure of.
  • Advanced System Settings -> Advanced -> Performance settings -> Advanced -> Change paging settings -> set the drives to none
  • Reboot

• Download O&O ShutUp10 and disable things.

• Download InControl to stop Microsoft from pushing Windows 11.

• Install Open-Shell to restore the start menu to the sensible Windows 7 style.

• Disable Enhance Pointer Precision:

  • Mouse Properties -> Pointer Options -> Motion section

• Laptop: change touchpad sensitivity to medium or high in order to prevent mouse movement when palm touches the pad while typing.

  • If using a Lenovo then disable touchpad lock in the Lenovo Vantage app.

• Desktop: turn off hibernation

  • Open admin cmd prompt: powercfg.exe /hibernate off

• Disable power throttling:

  • winkey+r -> gpedit.msc.
  • Computer Configuration > Administrative Templates > System > Power Management > Power Throttling Settings
    • Double-click the Turn off Power Throttling policy.
    • Select Enabled.

• Enable Ultimate Power Plan (alternatively make a new plan and set the min/max processor speed to 100%)

  • Open cmd as admin, run powercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61
  • Can now select the ultimate power plan in power options.

• Create a power plan for software benchmarking

  • This will disable turbo boost and general lock the frequency to base-ish clock. This can help keep CPU temps stable (hot temps affect clock) and it avoids variable clock changes.
  • AFAIK this only works for Intel CPUs; not sure how to do the same thing on AMD.
  • In the power plan set the processor min/max speed to 99%.

• Disable reserved network bandwidth

  • winkey+r -> gpedit.msc.
  • Computer Configuration > Administrative Templates > Network > QoS Packet Scheduler > Limit reservable bandwidth
    • Enable it and set the % to 0.

• Disable auto folder type discovery to speed up opening folders with a lot of files

  • Open disable-folder-type-auto-discovery.reg from this folder.

• Turn off drive indexing for all drives since we'll be using Everything app for search and it does its own indexing.

  • Right-click a drive, under General tab uncheck Allow files on this drive to have contents indiexed ...

• Disable UAC screen dimming

  • Open User Account Control settings
  • Drag the slider down to the notch that doesn't dim the screen.

• Disable remote assistance

• Disable Windows error reporting dialog so that when stuff crashes you can get to a debugger faster.

  • Open an admin cmd prompt and run the file disable-windows-error-reporting-dialog.bat from this directory.

• Disable Microsoft Compatibility Appraiser (I believe this is for checking if you can run the next major OS; it's a CPU hog)

  • Open task scheduler.
  • Go to Microsoft\Windows\Application Experience and disable the Microsoft Compatibility Appraiser task.

• Disable the WinSAT task which is used to figure out your Windows performance score. It eats up processor time and is generally useless.

  • Open task scheduler.
    • note If you see an error about a selected task {0} no longer existing then you'll need to repair the task scheduler. See https://www.thewindowsclub.com/the-selected-task-0-no-longer-exists-error-in-task-scheduler
  • Go to Microsoft\Windows\Maintenance and disable the WinSAT task.

• Disable the Windows Customer Experience Improvement program via group policy https://web.archive.org/web/20200131202352/https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/

• Disable web search in Windows explorer search box (can speed up the horrible search feature, but really just use the Everything app!)

  • Group policy editor:
    • Computer Configuration -> Administrative Templates -> Windows Components -> Search
    • Enable Do no allow web search and Don't search the web or disable web results in Search
  • Alternatively, just disable the Windows search service altogether.

• Disable Cortana:

  • Group policy editor:
    • Computer Configuration -> Administrative Templates -> Windows Components -> Search
    • Disable Allow Cortana ... settings.

• Increase TDR setting for GPU Driver

  • TDR determines the length of time that a GPU can hang on a computation until the OS restarts the driver. By default this is set to a few seconds so you can experience app crashes when using GPU intensive software, like 3D modeling or texturing. To increase the duration, follow this guide: https://web.archive.org/web/20191107173337/https://docs.substance3d.com/spdoc/gpu-drivers-crash-with-long-computations-128745489.html

• Optional: disable Windows Defender real-time protection:

  • This can speed up compilation times since Defender will scan every file written to disk. I was able to shave off ~2-5 seconds in a particular project.
    • If you'd rather keep real-time protection active then you can add specific files or folders to the Defender exclusion list in the Windows Security settings, however I did some testing and didn't see any speedup when excluding a project folder.
  • Go into the Windows security settings and disable Tamper Protection.
    • winkey+r -> gpedit.msc.
  • Can now disable either with a policy or some custom batch files.
  • Group policy:
    • Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus -> Real-time Protection
      • Double-click the Turn off real-time protection policy.
      • Select Enabled (you may have to restart PC).
      • If you want to re-enable then change the policy to Not configured and re-enable tamper protection.
  • Batch files: in dotfiles/bin run antimalware-service-disable.bat then restart. Reenable it with antimalware-service-enable.bat

• Enable/disable various Window features:

  • Go to Add/Remove Programs -> Turn Windows features on or off
  • Disable:
    • Windows hypervisor platform (can break Virtualbox)
    • Internet Explorer 11
    • Legacy Components - DirectPlay
    • Media Features - Windows Media Player
    • Microsoft Print to PDF
    • Microsoft XPS Document Writer (and any other XPS components)
    • Print and Document Services - Internet Printing Client & Windows Fax and Scan
    • Windows PowerShell 2.0 (current version is 5+ as of 2021-03-05)
    • Work folders client

• Turn off various startup processes

  • ctrl+shift+esc -> startup

• Disable unneeded services

• Pin "This PC" to taskbar

  • In Win 10 start menu, search for "This PC", right click top result and pin to taskbar

• Disable collection of recently opened files

  • winkey+r -> gpedit.msc.
  • User Configuration > Administrative Templates > Start Menu and Taskbar
    • Double-click the Do no keep history of recently opened documents policy.
    • Select Enabled.

• Configure Explorer's options

  • Open file explorer, click on File menu then options or "Change folder and search options"
    • General tab
      • Open File Explorer to: This PC
      • Uncheck Show recently used files in Quick access
      • Uncheck Show frequently used folder in Quick access
    • View tab
      • Check Show hidden files, folders, or drives,
      • Uncheck Hide extensions for known file types

• Disable reopening apps on startup

  • Windows settings -> Account -> Sign in options -> Privacy section: turn off Use my sign-in info to automatically finish setting up device

• Disable window suggestion when snapping a window

  • Windows settings -> System -> Multitasking -> uncheck "When I snap a window, show what I can snap next to it"

• Restore classic Windows Photo Viewer app (the default Win10 photos app is fucking awful):

  • Open photo_viewer.reg from this folder.
  • You'll need to change the default app for the various image extensions. Don't change gif types though because photo viewer doesn't support animations.
  • Open disable-are-you-sure-you-want-to-open-with-the-default-program-dialog.reg to stop it from occasionally asking if you still want to use photo viewer.

• Add custom hosts file

  • Run notepad as administrator
  • Open C:/Windows/System32/Drivers/etc/hosts
  • Add contents of the hosts file from this directory
  • Restart PC
  • Note: Windows Defender is going to alert you about the change. Tell it to ignore. Also, POS Windows will periodically reset this file to the default state so you'll want to check it every so often.

• Install the Windows SDK https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

  • Will install to c:\Program Files (x86)\Windows Kits\10

• Setup a symbol server:

  • Right-click My Computer -> Properties -> Advanced Tab -> Environment Variables
  • Add a new System Variable called _NT_SYMBOL_PATH
  • Set the value to SRV*c:\symbols*http://msdl.microsoft.com/download/symbols, replacing the first path to where you want the symbols to live.

• Configure crash dump storage location for projects via the registry.

• Disable various web trackers using browserleaks.com as a guide.

  • e.g. disable WebGL, canvas fingerprinting, geolocation, font fingerprint, etc.

• Disable the annoying Windows alert sound that plays when doing things like using a terminal, hitting tab to autocomplete and it has no match.

  • Open C:/windows/media
  • Find Windows Background.wav
  • Right-click -> Properties -> Security -> Advanced -> Change Owner from TrustedInstaller to your user account -> Apply
  • Back in the previous Security tab, click Edit to change permisisons -> add your user account and grant all permissions
  • Now you can delete the file or rename it.

• Map caps key to left-ctrl

  • If the keyboard supports remapping at the hardware level (e.g. like the Keychron keyboards) then map it there and this should cover all use cases, including Steam Link which for some reason does not respect the various remapping setups (except for PowerTools - see below).
  • For software based remapping, there are two options:
    • Use SharpKeys for a simple config change in Windows. You don't have to run any software at startup to get the remapping. The downside is that this doesn't work over Steam Link.
    • Use Bill Microsoft's PowerTools. Install it and then go to the key remapper tool in the settings. This works over Steam Link but it requires you to run the program to get the remapping. If you go down this path then be sure to go through the settings and disable the various tools that you don't want.

• If using 2+ monitors with different resolutions then you'll very likely have trouble with the mouse cursor moving from one screen to another due to a bad mapping. You can fix this by installing LittleBigMouse, run it, check the Allow Corner Crossing box and then apply. But note that I had some issues when running this. I forget the details now. Ended up uninstalling.

• Do a pass over all Windows setting screens for anything obvious that wasn't covered here.

• Open the Windows settings Apps & features and remove bloatware that isn't visible in the control panel add/remove list, e.g. OneDrive