June 2026
M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Archive for the ‘Windows 10’ Category

authentication – Bypassing Windows 10 password with Utilman.exe trick – fixed? – Information Security Stack Exchange

Posted by jpluimers on 2021/05/03

It is debatable if these tricks are vulnerabilities or not: [WayBack] authentication – Bypassing Windows 10 password with Utilman.exe trick – fixed? – Information Security Stack Exchange.

There are arguments that leaving a system open to physical access or allow operating system manipulation, it means it is busted.

On the other hand, making systems more resilient to modification, helps alleviate these problems.

So it pays for developers to harden operating systems against modification.

From the question:

Of the sethc.exe, Utilman.exe, and osk.exe ones in Windows, Utilman.exe seems to have been fixed.

–jeroen

Posted in Power User, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 | Leave a Comment »

Windows 10: when “wmic path SoftwareLicensingService get OA3xOriginalProductKey” fails, try ProduKey from NirSoft.

Posted by jpluimers on 2021/05/03

Somehow, many Windows 10 systems, when I try on an Administrative command prompt wmic path SoftwareLicensingService get OA3xOriginalProductKey, the result is empty:

Microsoft Windows [Version 10.0.17763.475]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>wmic path SoftwareLicensingService get OA3xOriginalProductKey
OA3xOriginalProductKey



C:\WINDOWS\system32>

On those systems, [Wayback] NirSoft ProduKey always works.

Having a product key at hand is a great help when re-installing Windows 10: often it does not automatically obtain a digital license on the same hardware.

Most of those systems have been upgrades from previous Windows versions, but not all of them: even some new systems have this behaviour.

[WayBack] How to Find Your Lost Windows or Office Product Keys
[WayBack] Windows 10 – This product key didn’t work. Please check it and try – Microsoft Community
[WayBack] GitHub – Superfly-Inc/ShowKeyPlus: Windows product key finder and validation checker (which I have not tried yet, see interesting screenshots below)
- [WayBack] Releases · Superfly-Inc/ShowKeyPlus · GitHub
[WayBack] How to find windows 10 product key using command prompt 2019

–jeroen

Read the rest of this entry »

Posted in Power User, Windows, Windows 10 | Leave a Comment »

Need to research: Nirlauncher v1.23.42 to 1.23.43 upgrade through Chocolatey fails with “Operation did not complete successfully because the file contains a virus or potentially unwanted software.”

Posted by jpluimers on 2021/04/23

I had a curious error despite the build not having any failures on VirusTotal:

You have nirlauncher v1.23.42 installed. Version 1.23.43 is available based on your source(s).
nirlauncher not upgraded. An error occurred during installation:
 Operation did not complete successfully because the file contains a virus or potentially unwanted software.

nirlauncher package files upgrade completed. Performing other installation steps.
The upgrade of nirlauncher was NOT successful.
nirlauncher not upgraded. An error occurred during installation:
 Operation did not complete successfully because the file contains a virus or potentially unwanted software.

choco upgrade throwing virus error during nirsoft 1.23.43 update

When upgrading, this briefly is visible in the Windows Security view “Virus & thread protection”:

[Archive.is] “HackTool:Win32/Passview!MSR” threat explained very thinly by Microsoft as [Archive.is] HackTool:Win32/Passview!MSR.

So I need to figure out a few things before I can upgrade Nirsoft:

Where choco upgrade downloads temporary files
Where these temporary files store their intermediate and final files during installation
How to temporarily exclude the locations of 1. and 2 in Microsoft Defender.

–jeroen

Posted in Chocolatey, Power User, Windows, Windows 10 | Leave a Comment »

Windows 10 Home: allow a certain user to have a non-expiring password

Posted by jpluimers on 2021/03/15

Sometimes it makes sense to have a user never expire the password.

On a non-home editions of Windows, this is easy: just run lusrmgr.msc, then in the UI change the property for the user.

On home editions of Windows, you cannot do this in a GUI: those bits are either disabled or completely unavailable.

I did this on a demo VM system on an elevated command-prompt:

C:\>wmic UserAccount where Name='developer' set PasswordExpires=False
Updating property(s) of '\\DEMO-VM\ROOT\CIMV2:Win32_UserAccount.Domain="DEMO-VM",Name="developer"'
Property(s) update successful.

To show the current state (before I changed it):

C:\>wmic UserAccount where Name='developer'
AccountType  Caption           Description  Disabled  Domain      FullName  InstallDate  LocalAccount  Lockout  Name       PasswordChangeable  PasswordExpires  PasswordRequired  SID                                            SIDType  Status 
512          DEMO-VM\developer              FALSE     DEMO-VM                            TRUE          FALSE    developer  TRUE                TRUE             TRUE              S-1-5-21-2478057260-1439466941-978077079-1002  1        OK

Via: [WayBack] Cocosenor: 4 ways to disable or enable Windows 10 password expiration notification

–jeroen

Posted in Power User, Windows, Windows 10 | Leave a Comment »

Windows Users like “Window Manager\DWM-3” are virtual users

Posted by jpluimers on 2021/03/15

Having seen logon failures from user Window Manager\DWM-3 while on a public WiFi network, I did a quick search on [WayBack] “Window Manager\DWM-3” – Google Search.

It appeared somebody trying a dictionary attack on the RDP port of my Windows VM which was on the host Bridged Network (see [Archive.is] Help – VMware Fusion 6 Documentation Center).

This is a virtual user that is part of a series of users that the Desktop Window Manager started using from Windows 8 and up.

The first user always exist, DWM-2 and up are created for new dwm.exe processes (by winlogon.exe) when users start logging on through RDP connections to a Windows machine:

Window Manager\DWM-1
Window Manager\DWM-2
Window Manager\DWM-3
Window Manager\DWM-4

In addition to logging on as a new user, as of Windows 8, these also are created when shutting down and starting up (which Windows fools you by actually doing a kind of hibernate): [Wayback] windows 8 – What is winlogon.exe -SpecialSession? – Super User

–jeroen

Posted in Power User, Windows, Windows 10, Windows 8, Windows 8.1 | Leave a Comment »

Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Posted by jpluimers on 2021/03/12

On my reading list, because I saw it suddenly enabled on a domain based Windows network:

[WayBack] Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.

It seems to have been introduced early 2018: Windows Defender – Wikipedia: Advanced Features

Windows 10’s Anniversary Update introduced Limited Periodic Scanning, which optionally allows Windows Defender to scan a system periodically if another antivirus app is installed.^[5] It also introduced Block at First Sight, which uses machine learning to predict whether a file is malicious.^[21]

There is a BAFS – Windows Defender Testground for which you need a Microsoft account.

–jeroen

Posted in Power User, Security, Windows, Windows 10 | Leave a Comment »

Reminder of Windows 10 update “What’s New” location

Posted by jpluimers on 2021/03/02

If you forgot what Microsoft has added, look for a file named like this:

C:\Program Files\WindowsApps\Microsoft.Getstarted_7.3.20251.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe

Disregard any warnings you find through the above link: it is a legit file installed during Windows 10 update.

–jeroen

Posted in Power User, Windows, Windows 10 | Leave a Comment »

Research list: getting rid of the Windows 10 Delivery Content data and service

Posted by jpluimers on 2021/02/15

Not sure yet if this is still possible, but on my research list as it pollutes low-resource Windows 10 VMs and computers the Delivery Content:

[WayBack] Delivery Optimization Service can’t be disabled after the last Windows 10 Update – Super User
[WayBack] Reddit: Can I block an IP range for Windows 10 download? : sysadmin
[WayBack] How To Turn Off Windows 10 Update Delivery Optimization Feature | Redmond Pie
[WayBack] Delivery Optimization service downloading something and using all my bandwidth
[WayBack] Microsoft Clarifies Windows 10 ‘Delivery Optimization’ — Redmond Channel Partner
[WayBack] Delete Delivery Optimization Files and reclaim lost disk space
[WayBack] Disable and turn off Windows Update Delivery Optimization
[WayBack] Windows Update Delivery Optimization or WUDO
[WayBack] windows 10 – Delivery Optimization service is hogging all my bandwidth, how to stop it? – Super User
Windows Update Delivery Optimization: FAQ
How to control Windows Update Delivery Optimization

To stop downloading updates and apps from or sending updates and apps to other Windows 10 devices on the Internet:
1. Select the Start button, then select Settings > Update & Security > Windows Update > Advanced options.
2. Select Delivery Optimization (or Choose how updates are delivered in earlier versions of Windows 10).
3. Select PCs on my local network.
To stop downloading from or uploading to other PCs on the local network:
1. Select the Start button, then select Settings > Update & Security > Windows Update > Advanced options.
2. Select Delivery Optimization.
3. Make sure Allow downloads from other PCs is turned Off. You’ll get updates and apps directly from Windows Update and from Microsoft Store with Delivery Optimization; however, you won’t download from or upload to other PCs.
If you use a metered or capped Internet connection, Delivery Optimization won’t automatically download or send parts of updates or apps to other PCs on the Internet.

To identify a Wi‑Fi or Ethernet connection as metered or capped:
1. Select the Start button, then select Settings > Network & Internet > Wi‑Fi.
2. Select the network you’re using, and then turn on Set as metered connection.

–jeroen

Read the rest of this entry »

Posted in Power User, Windows, Windows 10 | Leave a Comment »

Deleting the WebCache database – The IE browser cache | Apttech’s Blog

Posted by jpluimers on 2021/02/15

[WayBack] Deleting the WebCache database – The IE browser cache | Apttech’s Blog quotes from WayBack: C drive space is using up on terminal server after upgrading to IE10 or IE11 – AsiaTech: Microsoft Azure & Development:

With the new cache implementation, the cache files are saved in %LocalAppData%\Microsoft\Windows\WebCache\ folder. And, the cache files will be created when a new user logs on.

Actually, the database is a file named WebCacheV01.dat in the cache folder, and its initial size could be around 20-32MB. The size of this file will keep increasing along with you browse more and more websites.

…

save the below contents into ClearIECache.cmd file and try to fun this file.
echo OFF
net stop COMSysApp
taskkill /F /IM dllhost.exe
taskkill /F /IM taskhost.exe
taskkill /F /IM taskhostex.exe
del /Q %LocalAppData%\Microsoft\Windows\WebCache\*.*
net start COMSysApp
echo ON
Furthermore, you’d better deploy the batch file to a logoff script of your local GPO, here are the steps.

–jeroen

Posted in Internet Explorer, Power User, Web Browsers, Windows, Windows 10 | Leave a Comment »

Windows events for Remote Desktop connections

Posted by jpluimers on 2021/01/25

Some notes and links, as eventually I want to react on Windows events raised for successful Remote Desktop connections.

Log-files:

Name Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
Name Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

EventID 25:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="{5D896912-022D-40AA-A3A8-4FA5515C76D7}" /> 
<EventID>25</EventID> 
<Version>0</Version> 
<Level>4</Level> 
<Task>0</Task> 
<Opcode>0</Opcode> 
<Keywords>0x1000000000000000</Keywords> 
<TimeCreated SystemTime="2019-02-06T13:48:02.978377900Z" /> 
<EventRecordID>5358</EventRecordID> 
<Correlation ActivityID="{F4203346-1BFB-421E-8668-C7503D590000}" /> 
<Execution ProcessID="308" ThreadID="12552" /> 
<Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel> 
<Computer>MACHINE-NAME.subdomain.domain</Computer> 
<Security UserID="S-1-5-18" /> 
</System>
<UserData>
<EventXML xmlns="Event_NS">
<User>DOMAIN\jeroen</User> 
<SessionID>2</SessionID> 
<Address>192.168.1.42</Address> 
</EventXML>
</UserData>
</Event>

Links on the events:

[WayBack] Is there a log file for RDP connections?
[WayBack] Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits

A cohesive and comprehensive walk-through of the most common and empirically useful RDP-related Windows Event Log Sources and ID’s, grouped by stage of occurrence (Connection, Authentication, Logon, Disconnect/Reconnect, Logoff).

…

Event ID: 25
Provider Name: Microsoft-Windows-TerminalServices-LocalSessionManager
Description: “Remote Desktop Services: Session reconnection succeeded:”
Notes: The user has reconnected to an RDP session, when the “Source Network Address” contains a remote IP address. A “Source Network Address” of “LOCAL” simply indicates a local session reconnection and does NOTindicate a remote RDP session reconnection. Note the “Source Network Address” for the source of the RDP connection. This is typically paired with an Event ID 40. Take note of the SessionID as a means of tracking/associating additional Event Log activity with this user’s RDP session.

TL;DR: The user has reconnected to an existing RDP session, so long as the “Source Network Address” is NOT “LOCAL”.
[WayBack] Jeroen Pluimers on Twitter: “How can I run a script (batch or powershell) when a remote desktop connection starts? (either re-connects to an existing Windows logon session, or starts a new Windows logon session)? I know how to cover the last, but not the first.”
[WayBack] CHUA Chee Wee on Twitter: “Watch Windows event log for RDP events. You’ll figure which one out, then execute a designated script.”
[WayBack] Jeroen Pluimers on Twitter: “Thanks, found it: Log Name Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Log Path %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx EventID 25 Now I need to find how to initiate a script on this.”
[WayBack] CHUA Chee Wee on Twitter: “Manually, it’s within eventvwr, click on the event and right click, select attach task to this event. Programmatically, you’ll need to figure out the equivalent.”
[WayBack] Jeroen Pluimers on Twitter: “Thanks. In the mean time I was collecting some links for a blog post about this which includes blogs.technet.microsoft.com/wincat/… That’s a more elaborate version of what you describe, so both of these will get me going.”

Links on triggers and scripts running because of events:

[WayBack] Automation example using Windows Event as trigger : sysadmin
[WayBack] Trigger a PowerShell Script from a Windows Event – Server and Cloud Partner and Customer Solutions Team Blog
[WayBack] PowerShell: BgInfo Automation script | Wim’s System Center blog
[WayBack] Complex Event Processing (Middleware)—a Technical Reference Guide for Designing Mission-Critical Middleware Solutions
[WayBack] Configure Event Log Forwarding in Windows Server 2012 R2
[WayBack] Run a scheduled task after a Windows service is started – Super User
[WayBack] Advanced XML filtering in the Windows Event Viewer | Ask the Directory Services Team
[WayBack] How to Disable Automatic Updates on Windows 10 | NUCUTA: Disable Windows 10 Update with Windows Task Scheduler

There is no convenient way to disable automatic updates on Windows 10, This guide presents 8 working methods to disable automatic updates with ease.
[WayBack] Trigger a PowerShell Script from a Windows Event – Server and Cloud Partner and Customer Solutions Team Blog

–jeroen

Read the rest of this entry »

Posted in Power User, Windows, Windows 10 | Leave a Comment »

« Previous Entries

Next Entries »

	jpluimers on Windows warned me of disk full…
	jpluimers on Started making people walk me…
	jpluimers on Stack Overflow’s forum is dead…
	jpluimers on Some links on getting the most…
	boctorbill on Some links on getting the most…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Windows 10’ Category

authentication – Bypassing Windows 10 password with Utilman.exe trick – fixed? – Information Security Stack Exchange

Windows 10: when “wmic path SoftwareLicensingService get OA3xOriginalProductKey” fails, try ProduKey from NirSoft.

Need to research: Nirlauncher v1.23.42 to 1.23.43 upgrade through Chocolatey fails with “Operation did not complete successfully because the file contains a virus or potentially unwanted software.”

Windows 10 Home: allow a certain user to have a non-expiring password

Windows Users like “Window Manager\DWM-3” are virtual users

Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Reminder of Windows 10 update “What’s New” location

Research list: getting rid of the Windows 10 Delivery Content data and service

How to control Windows Update Delivery Optimization

Deleting the WebCache database – The IE browser cache | Apttech’s Blog

Windows events for Remote Desktop connections

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Windows 10’ Category

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

How to control Windows Update Delivery Optimization

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this: