February 2026
M	T	W	T	F	S	S
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28

Archive for the ‘Windows’ Category

Windows Users like “Window Manager\DWM-3” are virtual users

Posted by jpluimers on 2021/03/15

Having seen logon failures from user Window Manager\DWM-3 while on a public WiFi network, I did a quick search on [WayBack] “Window Manager\DWM-3” – Google Search.

It appeared somebody trying a dictionary attack on the RDP port of my Windows VM which was on the host Bridged Network (see [Archive.is] Help – VMware Fusion 6 Documentation Center).

This is a virtual user that is part of a series of users that the Desktop Window Manager started using from Windows 8 and up.

The first user always exist, DWM-2 and up are created for new dwm.exe processes (by winlogon.exe) when users start logging on through RDP connections to a Windows machine:

Window Manager\DWM-1
Window Manager\DWM-2
Window Manager\DWM-3
Window Manager\DWM-4

In addition to logging on as a new user, as of Windows 8, these also are created when shutting down and starting up (which Windows fools you by actually doing a kind of hibernate): [Wayback] windows 8 – What is winlogon.exe -SpecialSession? – Super User

–jeroen

Posted in Power User, Windows, Windows 10, Windows 8, Windows 8.1 | Leave a Comment »

Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Posted by jpluimers on 2021/03/12

On my reading list, because I saw it suddenly enabled on a domain based Windows network:

[WayBack] Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.

It seems to have been introduced early 2018: Windows Defender – Wikipedia: Advanced Features

Windows 10’s Anniversary Update introduced Limited Periodic Scanning, which optionally allows Windows Defender to scan a system periodically if another antivirus app is installed.^[5] It also introduced Block at First Sight, which uses machine learning to predict whether a file is malicious.^[21]

There is a BAFS – Windows Defender Testground for which you need a Microsoft account.

–jeroen

Posted in Power User, Security, Windows, Windows 10 | Leave a Comment »

Reminder of Windows 10 update “What’s New” location

Posted by jpluimers on 2021/03/02

If you forgot what Microsoft has added, look for a file named like this:

C:\Program Files\WindowsApps\Microsoft.Getstarted_7.3.20251.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe

Disregard any warnings you find through the above link: it is a legit file installed during Windows 10 update.

–jeroen

Posted in Power User, Windows, Windows 10 | Leave a Comment »

Research list: getting rid of the Windows 10 Delivery Content data and service

Posted by jpluimers on 2021/02/15

Not sure yet if this is still possible, but on my research list as it pollutes low-resource Windows 10 VMs and computers the Delivery Content:

[WayBack] Delivery Optimization Service can’t be disabled after the last Windows 10 Update – Super User
[WayBack] Reddit: Can I block an IP range for Windows 10 download? : sysadmin
[WayBack] How To Turn Off Windows 10 Update Delivery Optimization Feature | Redmond Pie
[WayBack] Delivery Optimization service downloading something and using all my bandwidth
[WayBack] Microsoft Clarifies Windows 10 ‘Delivery Optimization’ — Redmond Channel Partner
[WayBack] Delete Delivery Optimization Files and reclaim lost disk space
[WayBack] Disable and turn off Windows Update Delivery Optimization
[WayBack] Windows Update Delivery Optimization or WUDO
[WayBack] windows 10 – Delivery Optimization service is hogging all my bandwidth, how to stop it? – Super User
Windows Update Delivery Optimization: FAQ
How to control Windows Update Delivery Optimization

To stop downloading updates and apps from or sending updates and apps to other Windows 10 devices on the Internet:
1. Select the Start button, then select Settings > Update & Security > Windows Update > Advanced options.
2. Select Delivery Optimization (or Choose how updates are delivered in earlier versions of Windows 10).
3. Select PCs on my local network.
To stop downloading from or uploading to other PCs on the local network:
1. Select the Start button, then select Settings > Update & Security > Windows Update > Advanced options.
2. Select Delivery Optimization.
3. Make sure Allow downloads from other PCs is turned Off. You’ll get updates and apps directly from Windows Update and from Microsoft Store with Delivery Optimization; however, you won’t download from or upload to other PCs.
If you use a metered or capped Internet connection, Delivery Optimization won’t automatically download or send parts of updates or apps to other PCs on the Internet.

To identify a Wi‑Fi or Ethernet connection as metered or capped:
1. Select the Start button, then select Settings > Network & Internet > Wi‑Fi.
2. Select the network you’re using, and then turn on Set as metered connection.

–jeroen

Read the rest of this entry »

Posted in Power User, Windows, Windows 10 | Leave a Comment »

Deleting the WebCache database – The IE browser cache | Apttech’s Blog

Posted by jpluimers on 2021/02/15

[WayBack] Deleting the WebCache database – The IE browser cache | Apttech’s Blog quotes from WayBack: C drive space is using up on terminal server after upgrading to IE10 or IE11 – AsiaTech: Microsoft Azure & Development:

With the new cache implementation, the cache files are saved in %LocalAppData%\Microsoft\Windows\WebCache\ folder. And, the cache files will be created when a new user logs on.

Actually, the database is a file named WebCacheV01.dat in the cache folder, and its initial size could be around 20-32MB. The size of this file will keep increasing along with you browse more and more websites.

…

save the below contents into ClearIECache.cmd file and try to fun this file.
echo OFF
net stop COMSysApp
taskkill /F /IM dllhost.exe
taskkill /F /IM taskhost.exe
taskkill /F /IM taskhostex.exe
del /Q %LocalAppData%\Microsoft\Windows\WebCache\*.*
net start COMSysApp
echo ON
Furthermore, you’d better deploy the batch file to a logoff script of your local GPO, here are the steps.

–jeroen

Posted in Internet Explorer, Power User, Web Browsers, Windows, Windows 10 | Leave a Comment »

Everything force rescan all volumes – via voidtools forum

Posted by jpluimers on 2021/02/08

Sometimes the Everything search tool gets out of sync with the actual contents on disk, so this tip from [WayBack] Everything 1.3.1.636b does not “refresh” – voidtools forum will rescan all volumes and update the database:

To rebuild the Everything database:

In Everything, from the Tools menu, click Options.

Click the Indexes tab.

Click Force Rebuild.

If that fails, you can always remove/add the volumes:

–jeroen

Posted in Everything by VoidTools, Power User, Windows | Leave a Comment »

Chris Foster: Windows Development in a KVM Virtual Machine

Posted by jpluimers on 2021/02/04

For my link archive: [WayBack] Chris Foster: Windows Development in a KVM Virtual Machine covering among others much (mostly based [WayBack] libvirt: The virtualization API) stuff:

virt-manager (Virtual Machine Manager – Wikipedia)
[WayBack] QEMU guest agent
VirtIO drivers like these (there are more, see [WayBack] Virtio – OSDev Wiki and [WayBack] Windows Guest Virtual Machines on Red Hat Enterprise Linux 7)
- [WayBack] Balloon driver
- [WayBack] NetKVM
- vioserial
- viostor

A choco install list

Posted by jpluimers on 2021/02/03

Sometimes I forget the choco install mnemonics for various tools, so here is a small list below.

Of course you have to start with an administrative command prompt, and have a basic Chocolatey Installation in place.

If you want to clean cruft:

choco install --yes choco-cleaner

Basic install:

choco install --yes 7zip
choco install --yes everything
choco install --yes notepadplusplus
choco install --yes beyondcompare
choco install --yes git.install --params "/GitAndUnixToolsOnPath /NoGitLfs /SChannel /NoAutoCrlf /WindowsTerminal"
choco install --yes hg
choco install --yes sourcetree
choco install --yes sysinternals

For VMs (pic one):

choco install --yes vmware-tools
choco install --yes virtio-drivers

For browsing (not sure yet about Chrome as that one has a non-admin installer as well):

choco install --yes firefox

For file transfer (though be aware that some versions of Filezilla contained adware):

choco install --yes filezilla
choco install --yes winscp

For coding:

choco install --yes vscode
choco install --yes atom

For SQL server:

choco install --yes sql-server-management-studio

For web development / power user:

choco install --yes fiddler

For SOAP and REST:

choco install --yes soapui

If you don’t like manually downloading SequoiaView at gist.github.com/jpluimers/b0df9c2dba49010454ca6df406bc5f3d (e8efd031d667de8a1808d6ea73548d77949e7864.zip):

choco install --yes windirstat

For drawing, image manipulation (paint.net last, as it needs a UI action):

choco install --yes gimp
choco install --yes imagemagick
choco install --yes paint.net

For ISO image mounting in pre Windows 10:

choco install --yes wincdemu

For hard disk management:

choco install --yes hdtune
choco install --yes seatools
choco install --yes speedfan

For Fujitsu ScanSnap scanners (not sure yet this includes PDF support):

choco install --yes scansnapmanager

–jeroen

Posted in 7zip, atom editor, Beyond Compare, Chocolatey, Compression, Database Development, Development, DVCS - Distributed Version Control, Everything by VoidTools, Fiddler, Firefox, Fujitsu ScanSnap, git, Hardware, Mercurial/Hg, Power User, Scanners, SOAP/WebServices, Software Development, Source Code Management, SQL Server, SSMS SQL Server Management Studio, SysInternals, Text Editors, Versioning, Virtualization, VMware, VMware ESXi, vscode Visual Studio Code, Web Browsers, Web Development, Windows | Leave a Comment »

Windows events for Remote Desktop connections

Posted by jpluimers on 2021/01/25

Some notes and links, as eventually I want to react on Windows events raised for successful Remote Desktop connections.

Log-files:

Name Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
Name Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

EventID 25:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="{5D896912-022D-40AA-A3A8-4FA5515C76D7}" /> 
<EventID>25</EventID> 
<Version>0</Version> 
<Level>4</Level> 
<Task>0</Task> 
<Opcode>0</Opcode> 
<Keywords>0x1000000000000000</Keywords> 
<TimeCreated SystemTime="2019-02-06T13:48:02.978377900Z" /> 
<EventRecordID>5358</EventRecordID> 
<Correlation ActivityID="{F4203346-1BFB-421E-8668-C7503D590000}" /> 
<Execution ProcessID="308" ThreadID="12552" /> 
<Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel> 
<Computer>MACHINE-NAME.subdomain.domain</Computer> 
<Security UserID="S-1-5-18" /> 
</System>
<UserData>
<EventXML xmlns="Event_NS">
<User>DOMAIN\jeroen</User> 
<SessionID>2</SessionID> 
<Address>192.168.1.42</Address> 
</EventXML>
</UserData>
</Event>

Links on the events:

[WayBack] Is there a log file for RDP connections?
[WayBack] Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits

A cohesive and comprehensive walk-through of the most common and empirically useful RDP-related Windows Event Log Sources and ID’s, grouped by stage of occurrence (Connection, Authentication, Logon, Disconnect/Reconnect, Logoff).

…

Event ID: 25
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session reconnection succeeded:”
Notes: The user has reconnected to an RDP session, when the “Source Network Address” contains a remote IP address. A “Source Network Address” of “LOCAL” simply indicates a local session reconnection and does NOTindicate a remote RDP session reconnection. Note the “Source Network Address” for the source of the RDP connection. This is typically paired with an Event ID 40. Take note of the SessionID as a means of tracking/associating additional Event Log activity with this user’s RDP session.

TL;DR: The user has reconnected to an existing RDP session, so long as the “Source Network Address” is NOT “LOCAL”.
[WayBack] Jeroen Pluimers on Twitter: “How can I run a script (batch or powershell) when a remote desktop connection starts? (either re-connects to an existing Windows logon session, or starts a new Windows logon session)? I know how to cover the last, but not the first.”
[WayBack] CHUA Chee Wee on Twitter: “Watch Windows event log for RDP events. You’ll figure which one out, then execute a designated script.”
[WayBack] Jeroen Pluimers on Twitter: “Thanks, found it: Log Name Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Log Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx EventID 25 Now I need to find how to initiate a script on this.”
[WayBack] CHUA Chee Wee on Twitter: “Manually, it’s within eventvwr, click on the event and right click, select attach task to this event. Programmatically, you’ll need to figure out the equivalent.”
[WayBack] Jeroen Pluimers on Twitter: “Thanks. In the mean time I was collecting some links for a blog post about this which includes blogs.technet.microsoft.com/wincat/… That’s a more elaborate version of what you describe, so both of these will get me going.”

Links on triggers and scripts running because of events:

[WayBack] Automation example using Windows Event as trigger : sysadmin
[WayBack] Trigger a PowerShell Script from a Windows Event – Server and Cloud Partner and Customer Solutions Team Blog
[WayBack] PowerShell: BgInfo Automation script | Wim’s System Center blog
[WayBack] Complex Event Processing (Middleware)—a Technical Reference Guide for Designing Mission-Critical Middleware Solutions
[WayBack] Configure Event Log Forwarding in Windows Server 2012 R2
[WayBack] Run a scheduled task after a Windows service is started – Super User
[WayBack] Advanced XML filtering in the Windows Event Viewer | Ask the Directory Services Team
[WayBack] How to Disable Automatic Updates on Windows 10 | NUCUTA: Disable Windows 10 Update with Windows Task Scheduler

There is no convenient way to disable automatic updates on Windows 10, This guide presents 8 working methods to disable automatic updates with ease.
[WayBack] Trigger a PowerShell Script from a Windows Event – Server and Cloud Partner and Customer Solutions Team Blog

–jeroen

Read the rest of this entry »

Posted in Power User, Windows, Windows 10 | Leave a Comment »

How to remove (disable or hide) User Accounts on the Windows 10 Login Screen – Make Tech Easier

Posted by jpluimers on 2021/01/11

Works on my systems too (I think it works from Windows XP on) to hide users from the home screen: [WayBack] How to Hide User Accounts on the Windows 10 Login Screen – Make Tech Easier.

Show only the last logged on user, but add a switch-user dialog

Run the below .reg file on your machine, or manually add this key (does not need any value): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\DomainStyleLogon

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\DomainStyleLogon]

Note the empty line at the end of the .reg file: that is by intention.

This will show the last logged-on user on the home screen, but still allows users to perform a switch to other users.

Disable the users on the logon screen from interactive logon

Warning: do NOT disable your administrator user this way!

For why not, see the various users that lost access: [WayBack] Hide User Accounts on Windows 7 Logon – Windows 7 IT Pro > Windows 7 User Interface

use net user on the command prompt to list the usernames and note the username you want to hide from the login screen
run regedit to edit the registry
ensure this registry key exists HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Under that key, create a new key SpecialAccounts
Under the SpecialAccounts key, create a new key UserList
Under the UserList key, create a new DWORD (32-bit) value with the Value name equal to the username and the Value data to zero (0, which is the default)
Reboot
Observe that user is not on the login window any more.

Example:

If you lost access because of `SpecialAccounts`

If you would like to unhide the hidden Administrator account on Windows 7:

Boot a Windows 7 Installation DVD or ISO

go to command prompt and type regedit -it

click on HKLM hive and

next navigate File>>Load hive

navigate to C:\Windows\System32\config folder and choose `SOFTWARE` file load it and assign this hive any name for example REM_SOFTWARE

open key HKEY_LOCAL_MACHINE\REM_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

remove the Administrator account

or better way remove the whole key HKEY_LOCAL_MACHINE\REM_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts

–jeroen

Posted in Power User, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 | Leave a Comment »

« Previous Entries

Next Entries »

	Attila Kovacs on Crowbarring Windows 95 into Wi…
	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Windows’ Category

Windows Users like “Window Manager\DWM-3” are virtual users

Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Reminder of Windows 10 update “What’s New” location

Research list: getting rid of the Windows 10 Delivery Content data and service

How to control Windows Update Delivery Optimization

Deleting the WebCache database – The IE browser cache | Apttech’s Blog

Everything force rescan all volumes – via voidtools forum

Chris Foster: Windows Development in a KVM Virtual Machine

A choco install list

Windows events for Remote Desktop connections

How to remove (disable or hide) User Accounts on the Windows 10 Login Screen – Make Tech Easier

Show only the last logged on user, but add a switch-user dialog

If you lost access because of `SpecialAccounts`

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Windows’ Category

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

How to control Windows Update Delivery Optimization

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Show only the last logged on user, but add a switch-user dialog

If you lost access because of SpecialAccounts

Rate this:

Share this:

If you lost access because of `SpecialAccounts`