Windows 10

From Segfault
Jump to navigation Jump to search

Bitlocker

For some reason Windows Bitlocker would not prompt for the decryption password that was set when Bitlocker was initialized. This may be related to TPM and somehow the password is handed off to the TPM chip and the user is no longer prompted for passwords.[1]. To prevent that and to restore the password prompt:

  1. Open gpedit.msc
  2. Open Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
  3. Select and enable Require additional authentication at startup
    1. Allow BitLocker without a compatible TPM: Yes
    2. Configure TPM startup: Do not allow TPM
    3. Configure TPM startup PIN: Require startup PIN with TPM
    4. Configure TPM startup key: Do not allow startup key with TPM
    5. Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM
    6. Allow enhanced PINs for startup: Enabled
    7. Configure use of passwords for operating system drives: Enabled
    8. Configure password complexity for operating system drives: Allow password complexity

For non-system drives, the following needs to be set:

  1. Open Fixed Data Drives
  2. Enable Configure use of passwords for fixed data drives
    1. Require password for fixed data drive: Checked

WSL

Installation

The Windows Subsystem for Linux Installation Guide for Windows 10 are pretty staightforward, but let's summarize them anyway. As an administrator in a PowerShell window:

cd c:\temp
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Download[2] a Linux distribution, for example Ubuntu 18.04:

Invoke-WebRequest -Uri https://aka.ms/wsl-ubuntu-1804 -OutFile Ubuntu.appx -UseBasicParsing

Install with:

Add-AppPackage .\Ubuntu.appx

The noisy terminal bell can be disabled[3] via /etc/inputrc:

set bell-style none

Usage

Change the default user to someone else:

$ alpine config --default-user bob

But how do we find out the actual executable for our installed distribution?

$ where *leap*
C:\Windows\System32\FileAppxStreamingDataSource.dll
C:\Windows\System32\PeopleAPIs.dll
C:\Users\ck\AppData\Local\Microsoft\WindowsApps\openSUSE-Leap-15-1.exe

Let's try this:

$ openSUSE-Leap-15-1 config --default-user bob
/usr/bin/id: ‘bob’: no such user

We have to make sure the user actually exists in the VM :-)

Restart WSL:

Restart-Service LxssManager
Get-Service LxssManager

Or, w/o PowerShell:

$ sc queryex LxssManager | find "PID"
       PID                : 2540

$ tasklist /FI "PID eq 2540"
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
svchost.exe                   2540 Services                   0     11,256 K

Sound

For some reason we needed sound support in our WLS environment. Another blog explained how to do this[4] but we only need sound on the command line, so we can omit some parts. The important steps are:

  • Download a precompiled pulseaudio binary from freedesktop.org
  • Extract and edit a two files before we can start it:
etc\pulse\default.pa
load-module module-waveout sink_name=output source_name=input
load-module module-waveout sink_name=output source_name=input record=0

#load-module module-native-protocol-tcp
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
etc\pulse\daemon.conf
; exit-idle-time = 20
exit-idle-time = -1
  • With that, pulseaudio.exe should be able to start and will now listen on localhost
  • For our needs, all we needed to do was to point our music program (in WSL) to the Pulseaudio server (running in Windows):
export PULSE_SERVER=tcp:127.0.0.1
mpg123 file.mp3

Other programs may need other hints to connect to the Pulseaudio server though.

Miscellaneous

Disable 3D Objects

Remove the key {0DB7E03F-FC29-4DC6-9020-FF41B59E513A} from the registry locations to disable that useless 3D Objects directory:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace

Disable Web Search

Disable the (Bing) Web Search[5] in the start menu:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
"CortanaConsent"=dword:00000000
"BingSearchEnabled"=dword:00000000

Group Policy Editor

For some reason the Group Policy Editor cannot be started as a mere user:

$ runas /user:root "mmc %windir%\system32\gpedit.msc"
Enter the password for root:
Attempting to start mmc C:\WINDOWS\system32\gpedit.msc as user "WIN10\root" ...
RUNAS ERROR: Unable to run - mmc C:\WINDOWS\system32\gpedit.msc
740: The requested operation requires elevation.

Once can run the Group Policy Editor via the Start Menu, but we need to provide the .msc here so that the "Run as administrator" option is offered:

<==> <==>

Import Certificates

Root certificates, and intermediates:

Get-ChildItem -Path "*crt" | Foreach-Object { certutil.exe -addstore -user root $_.FullName }
Get-ChildItem -Path "*crt" | Foreach-Object { certutil.exe -addstore -user CA   $_.FullName }

If there are subdirectories involved:

Get-ChildItem -Path "." -Recurse -Filter *.crt | Foreach-Object { echo $_.Name }

Generate a Java keystore from the certificates:

Get-ChildItem -Path "*crt" | Foreach-Object {  keytool -import -alias $_.Name -keystore ..\keystore.pfx -file $_.FullName -storepass XXX -noprompt }

List the certificates in the keystore:

keytool -v -list -keystore .\keystore.pfx -storepass XXX | Select-String "Alias"

Samba Guest Logins

To access SMB2 guest logins with Windows 10, we may need to enable "insecure guest logons" in the Group Policy[6]:

  • Start gpedit.msc
  • Enter Computer Configuration > Administrative Templates > Network > Lanman Workstation
  • Enable "Enable insecure guest logons"

Startup Items

According to their support site[7]:

  • open shell:startup via Windows+R to open the Startup items directory.
  • place whatever needed here, for example pagent shortcuts[8]:
> Create a shortcut to the pageant.exe
> Right click on the shortcut and open 'Properties'
> Target: "<path to>/pageant.exe" key.ppk
> Start in: "<path to key.ppk>"

Verbose Boot

To enable verbose boot[9], via the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DWORD32:VerboseStatus=1

Or via a Group Policy:

  1. Open gpedit.msc
  2. Select Computer Configuration > Administrative Templates > System
  3. Select and enable Display highly detailed status messages

WinSxS

Clean Up the WinSxS Folder, from an elevated command prompt:

dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase

Add /SPSuperseded to remove old service pack remnants.

Serial number

$ wmic bios get serialnumber
SerialNumber
1AB1234AAA

Product Key

$ wmic path softwarelicensingservice get OA3xOriginalProductKey
DQ93P-D6KF9-49T8M-7YR9V-89TTB

Bugs

Links

References