Update

Update Windows

Go to Settings under the Start menu. Choose Update & security to enter the Windows Update page to check for updates. After available updates are downloaded and prepared, Click Restart now to apply the updates.

Update Drivers

Right-click on the Start menu and choose Device Manager to open it to update device drivers.

Install Windows Package Manager

winget

Prepare

modify hosts

1

157.56.8.150 nuget.org

1

Get-ExecutionPolicy

1

Set-ExecutionPolicy RemoteSigned

Install winget

Download microsoft-ui-xaml

Download Microsoft.VCLibs

Download winget

install the packages manually using the Add-AppxPackage PowerShell cmdlet

1
2
3

Add-AppxPackage Microsoft.UI.Xaml.2.7.appx
Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx
Add-AppxPackage Microsoft.DesktopAppInstaller.msixbundle

Install winget using PowerShell command

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

$progressPreference = 'silentlyContinue'

$latestWingetMsixBundleUri = $(Invoke-RestMethod https://api.github.com/repos/microsoft/winget-cli/releases/latest).assets.browser_download_url | Where-Object {$_.EndsWith(".msixbundle")}

$latestWingetMsixBundle = $latestWingetMsixBundleUri.Split("/")[-1]

Write-Information "Downloading winget to artifacts directory..."

Invoke-WebRequest -Uri $latestWingetMsixBundleUri -OutFile "./$latestWingetMsixBundle"

Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile Microsoft.VCLibs.x64.14.00.Desktop.appx

Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx

Add-AppxPackage $latestWingetMsixBundle

Updating settings

1

winget settings

Settings file is located in

1

%LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

{
    "$schema": "https://aka.ms/winget-settings.schema.json",
    "source": {
        "autoUpdateIntervalInMinutes": 0
    },
    "installBehavior": {
        "disableInstallNotes": true,
        "portablePackageUserRoot": "C:/Users/Ye/Packages/",
        "portablePackageMachineRoot": "C:/Program Files/Packages/",
        "preferences": {
            "scope": "machine",
            "locale": [ "en-US", "zh-CN" ],
            "architectures": ["x64", "x86"]
        },
        "defaultInstallRoot": "C:/Program Files/"
    },
    "uninstallBehavior": {
        "purgePortablePackage": true
    },
    "telemetry": {
        "disable": true
    },
    "logging": {
        "level": "info"
    },
    "network": {
        "downloader": "do",
        "doProgressTimeoutInSeconds": 60
    },
    "interactivity": {
        "disable": true
    }
}

Batch scripts and PowerShell scripts

1
2
3
4
5
6
7
8
9

@echo off  
Echo Install Powertoys and Terminal  
REM Powertoys  
winget install Microsoft.Powertoys  
if %ERRORLEVEL% EQU 0 Echo Powertoys installed successfully.  
REM Terminal  
winget install Microsoft.WindowsTerminal  
if %ERRORLEVEL% EQU 0 Echo Terminal installed successfully.   %ERRORLEVEL%
...

If a program I need isn’t available on Winget I add the name of this program to the top of my script as a comment:

1
2
3
4
5
6
7

<# Not available in Winget:
Adobe Creative Cloud
MSI Afterburner
ThrottleStop
#>

...

1

winget upgrade --all

scoop

Run the following command in the PowerShell:

1
2

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
irm get.scoop.sh | iex

Install WSL

Open PowerShell (or Windows Command Prompt) and enter:

1

wsl --install

Install Essential Software Using winget

environment variables:

Variable Explanation
USERPROFILE C:\Users<username>
LOCALAPPDATA %USERPROFILE%\AppData\Local
PROGRAMFILES C:\Program Files
PROGRAMFILES(X86) C:\Program Files (x86)

“%LOCALAPPDATA%\Programs” is this the location of where programs are installed for a specific user, and is actually a recommended method for running programs that do not need enhanced rights. The logic is that a program that can run entirely within the much more limited rights of a limited, non-admin user accounts profile and its stricter limitations will, by nature, be much safer application.

Runtime components

Run the following command in the PowerShell:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

winget install --force Microsoft.VCRedist.2015+.x86
winget install --force Microsoft.VCRedist.2015+.x64
winget install --force Microsoft.VCRedist.2013.x86
winget install --force Microsoft.VCRedist.2013.x64
winget install --force Microsoft.VCRedist.2012.x86
winget install --force Microsoft.VCRedist.2012.x64
winget install --force Microsoft.VCRedist.2010.x86
winget install --force Microsoft.VCRedist.2010.x64
winget install --force Microsoft.VCRedist.2008.x86
winget install --force Microsoft.VCRedist.2008.x64
winget install --force Microsoft.VCRedist.2005.x86

1

winget install -e --id Microsoft.DotNet.DesktopRuntime.6

1

winget install -e --id Oracle.JavaRuntimeEnvironment

Install Dev Tools

Run the following command in the PowerShell:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

winget install -e --id vim.vim
winget install -e --id Git.Git
winget install -e --id GitHub.cli
winget install -e --id Microsoft.VisualStudioCode
winget install -e --id Python.Python.3.10
winget install -e --id JetBrains.PyCharm.Community
winget install -e --id OpenJS.NodeJS
winget install -e --id Kitware.CMake  
winget install -e --id Anaconda.Miniconda3
winget install -e --id GoLang.Go
winget install -e --id Microsoft.WindowsTerminal
winget install -e --id Hugo.Hugo -l "$env:USERPROFILE/Packages/Hugo"
winget install -e --id ScooterSoftware.BeyondCompare4
winget install -e --id Docker.DockerDesktop
winget install -e --id JetBrains.GoLand --source winget
winget install -e --id Insomnia.Insomnia
winget install -e --id DBBrowserForSQLite.DBBrowserForSQLite
winget install -e --id GnuWin32.Make
winget install -e --id XK72.Charles
winget install -e --id WiresharkFoundation.Wireshark
winget install -e --id Telerik.Fiddler.Classic
winget install -e --id Cygwin.Cygwin --ignore-security-hash

Install Daily Software

Run the following command in the PowerShell:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

winget install -e --id IrfanSkiljan.IrfanView
winget install -e --id Google.Chrome
winget install -e --id Mozilla.Firefox
winget install -e --id Tonec.InternetDownloadManager
winget install -e --id PeterPawlowski.foobar2000
winget install -e --id 7zip.7zip
winget install -e --id Qv2ray.Qv2ray
winget install -e --id Proxifier  
winget install -e --id VideoLAN.VLC
winget install -e --id CodeSector.TeraCopy
winget install -e --id Adobe.Acrobat.Reader.64-bit
winget install -e --id Microsoft.OneDrive
winget install -e --id Sandboxie.Plus
winget install -e --id Dropbox.Dropbox
winget install -e --id JAMSoftware.TreeSize.Free
winget install -e --id Mp3tag.Mp3tag
winget install -e --id VMware.WorkstationPro
winget install -e --id Figma.Figma
winget install -e --id PicGo.PicGo
winget install -e --id oldj.switchhosts
winget install -e --id Cloudflare.Warp

Install Utilities Tools

1
2
3
4
5
6

winget install -e --id Microsoft.Sysinternals.Autoruns -l "$env:USERPROFILE/Packages/Autoruns"
winget install -e --id Henry++.simplewall
winget install -e --id OO-Software.ShutUp10 -l "$env:USERPROFILE/Packages/OO-ShutUp10"
winget install -e --id voidtools.Everything
winget install -e --source winget --id AutoHotkey.AutoHotkey
winget install -e --id Microsoft.Sysinternals.ProcessExplorer

Censorship Circumvent

Run PowerShell as administrator to install dnscrypt-proxy:

1

winget install -e --id DNSCrypt.dnscrypt-proxy -l "$env:PROGRAMFILES\DNSCrypt"

1

winget install -e --id TorProject.TorBrowser -l "$env:USERPROFILE\Packages\Tor Browser"

1

winget install -e --id PsiphonInc.Psiphon

Manual install Software

Office

Microsoft Office installation customization:

Use something call Office Deployment Tool (ODT). This is a command-line utility that parses an XML configuration file, which lets you exclude certain components of the office suite.

Options > Privacy Settings

1
2

Microsoft Office
Microsoft Visio

Censorship Circumvent

  • v2rayN

    v2rayN 3.29

    Xray-core

  • I2P

    I2P

  • VPN Gate

    VPN Gate

  • lantern

    lantern

  • Ultrasurf

    Ultrasurf

    Because of the strong political color, it is best not to install and use it at ordinary times, and it is only used as the last choice when other tools fail.

  • Freegate

    freegate

    freesky

    Because of the strong political color, it is best not to install and use it at ordinary times, and it is only used as the last choice when other tools fail.

Other

  • Typora version 0.9.83
  • BeyoundCompare

Configure Software

Firefox

Proxy SwitchyOmega

Chrome

Foobar2000

copy components from backup to foobar2000 installation directory and then install in preferences dialog.

restart Foobar2000 and then import configuration from backup in preferences dialog.

Add music folder to media library in the preferences dialog.

Using media library search with command %path% HAS "<music-path>" create auto playlist.

Everything in the following folder is part of your config.

1

%appdata%/roaming/foobar2000

Internet Download Manager

Copy the cracked file or patch file and paste it into the installation folder, after this run patch as administrator and click the crack button.

Enable Advanced Firefox Browser Integration in IDM:

  1. Open IDM and navigate to “Downloads > Options > General” IDM dialog box.
  2. Enable “Use advanced browser integration” option.
  3. After that, make sure that integration into Mozilla Firefox and Google Chrome is ticked or enabled.

Add IDM Extension To Mozilla Firefox Browser:

  1. Open IDM folder where you installed IDM (“C:\Program Files (x86)\Internet Download Manager\” by default).
  2. Here you have 3 XPI files.
    • Choose idmmzcc3.xpi for FireFox 53 and newer versions.
    • Choose idmmzcc2.xpi for FireFox browsers from version 27 to version 52 inclusively.
    • Choose idmmzcc.xpi (without a number) for FireFox versions from 1.5 to 26.

Add IDM Extension To Google Chrome Browser:

  1. Open IDM folder where you installed IDM (“C:\Program Files (x86)\Internet Download Manager\” by default).

  2. Here you have a CRX file.

    Then drag the IDMGCExt.crx file and drop it inside the extension page inside Google Chrome.

Disabling IDM extension for Chrome update:

You can do this by editing the extension’s manifest.json file:

  • On Windows: C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<EXTENSION-ID>\<VERSION>\manifest.json (find out the extension’s ID by enabling Developer Mode in the extension settings page)

In this file, set the "update_url" property to something invalid like "https://localhost" for example.

BeyoundCompare

  1. Open the Registry Editor. (Hitting Windows + R, typing in “regedit” and hitting Enter.)

  2. Select and delete the entries

    1

    \HKEY_CURRENT_USER\Software\Scooter Software\Beyond Compare 4\CacheId

DNSCrypt

Test dnscrypt-proxy

In the terminal, go to the directory of DNSCrypt installation

1

cd 'C:\Program Files\DNSCrypt\win64\'

Create a configuration file based on the example one

1

copy example-dnscrypt-proxy.toml dnscrypt-proxy.toml

run:

1

.\dnscrypt-proxy.exe

If dnscrypt-proxy is running, hit Control and C in the terminal window to stop it. And then to launch the server in an extra window, run:

1

start dnscrypt-proxy

Switch to your previous terminal window. Let’s check that everything works by sending a first query using dnscrypt-proxy:

1

.\dnscrypt-proxy.exe -resolve example.com

Change the system DNS settings

  1. Go to the Control Panel.

  2. Click Network and Internet > Network and Sharing Center > Change adapter settings.

  3. Select the connection for which you want to configure Google Public DNS. For example:

    • To change the settings for an Ethernet connection, right-click the Ethernet interface and select Properties.
    • To change the settings for a wireless connection, right-click the Wi-Fi interface and select Properties.

    If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  4. Select the Networking tab. Under This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) and then click Properties.

  5. Click Advanced and select the DNS tab. If there are any DNS server IP addresses listed there, write them down for future reference, and remove them from this window.

  6. Click OK.

  7. Select Use the following DNS server addresses. If there are any IP addresses listed in the Preferred DNS server or Alternate DNS server, write them down for future reference.

  8. Replace those addresses with the IP addresses of the DNSCrypt servers or the Google DNS servers:

    DNSCrypt servers:

    • 127.0.0.1

    Google DNS servers:

    • For IPv4: 8.8.8.8 and/or 8.8.4.4.
    • For IPv6: 2001:4860:4860::8888 and/or 2001:4860:4860::8844.
    • For IPv6-only: you can use Google Public DNS64 instead of the IPv6 addresses in the previous point.

  9. Test that your setup is working correctly.

Install the proxy as a system service

Hit Control and C in the dnscrypt-proxy terminal window to stop the proxy.

Register dnscrypt-proxy as a system service:

1

.\dnscrypt-proxy -service install

Start the service

1

.\dnscrypt-proxy -service start

Stop the service

1

.\dnscrypt-proxy -service stop

Restart the service after a configuration file change

1

.\dnscrypt-proxy -service restart

Uninstall the service

1

.\dnscrypt-proxy -service uninstall

Check that DNS resolution works

1

.\dnscrypt-proxy -resolve example.com

Completely delete

1
2

.\dnscrypt-proxy -service uninstall
winget uninstall DNSCrypt.dnscrypt-proxy

I2P

Run it using the “Start I2P” entries in your Start Menu.

open your browser of choice and visit the I2P welcome page at

1

127.0.0.1:7657/home

Configure your router to reseed through a proxy, configure the proxy type, hostname, and port:

1

127.0.0.1:7657/configreseed

Then, click “Save changes and reseed now”.

To browse anonymous websites inside Invisible Internet, configure your web browser to use HTTP/S proxy

1
2

HTTP 127.0.0.1 4444
HTTPS 127.0.0.1 4445

pip Configuration

1

pip config --global set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple

Miniconda Configuration

manually edit .condarc in your home directory

1
2

envs_dirs:
  - D:\various\miniconda\envs

Tweaks

Account

Using a Local account:

Create a local account, not using a microsoft account and using a local account. I don’t want to needlessly let any more big tech harvest my data than I have to.

Enable administrator account:

  1. Open “Run” with [Windows] + [R].
  2. Type “cmd” and press [Ctrl] + [Shift] + [Enter].
  3. Type “net user administrator /active:yes”.
  4. The administrator account is now activated.
  5. To deactivate: “net user administrator /active:no”.

In particular, the built-in Administrator account was never intended to be used for day-to-day normal use. Although intruders can use certain utilities to identify renamed Administrator accounts, most security strategies still instruct you to change the accounts’ default names. The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a “back door” in case something corrupts your regular account(s).

Change the administrator name:

  1. In the search box on the taskbar, type Computer Management and select it from the list.
  2. Select the arrow next to Local Users and Groups to expand it.
  3. Select Users.
  4. Right-click Administrator and select Rename.
  5. Type a new name. Note that you’ll need to be the administrator to change this name.

Tweak Privacy Settings

Run O&O ShutUp10 to set privacy settings for Windows.

Download WPD to configure various privacy settings in Windows.

Set Telemetry to: Enabled: 0 - Security

  • To launch the Group Policy Editor, press Win + R, type gpedit.msc, and press Enter.
  • Use the left sidebar to navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.
  • Switch to the right pane and double-click Allow Telemetry By default, it’s set to Not Configured. Select Enabled instead, in the Options box, choose the 0 - Security setting, and then click OK.

Turn off KMS Client Online AVS Validation:

  • To launch the Group Policy Editor, press Win + R, type gpedit.msc, and press Enter.
  • Use the left sidebar to navigate to Computer Configuration > Administrative Templates > All Settings.
  • Switch to the right pane and double-click Turn off KMS Client Online AVS Validation By default, it’s set to Not Configured. Select Enabled instead, click OK.

Disable unnecessary services

  • Connected User Experience Diagnostics & Telemetry

  • Windows Defender Antivirus Service

Windows Exploit Protection

  • Disable Cortana & Web search:

    Windows 10 LTSC builds do not need to disable Cortana and Web search.

  • Edge browser

    Download Firefox and Chrome, then change the default browser.

    Block Edge update.

    Uninstall Microsoft Edge

  • Disable game bar

    Under Settings > Gaming > Xbox Game bar, disable Xbox game bar.

Configure Update Settings

  • Disable automatic updates

    Updates for Windows 10 LTSC are never to add new features, but only to fix bugs and security issues, so no need to disable.

  • Disable automatic drivers installation

    Windows 10 LTSC builds do not need to disable updates.

Disable Unnecessary Startup Items

  1. Open the Task Manager with Ctrl + Shift + Esc, or by right-clicking on the taskbar and choosing Task Manager.
  2. Click More details to switch to the full view, if needed.
  3. Switch to the Startup tab.
  4. Right-click on every app you don’t want to start automatically and select Disable to prevent it from launching on startup.

Autoruns more granularity to control.

Personalization

Customizing and personalizing

  • Navigate to Settings -> Personalization -> Colors, and then disable transparency effects

Change User Access Control setting

Search for “UAC” in the task bar, and click “Change User Account Control settings”. Lower the notification level so that UAC no longer dims the desktop.

Change notification setting

Change the configuration through Settings > System > Notification & actions.

If you turned off your anti-virus and alike, you can change the configuration through Control Panel > Security and Maintenance > Change Security and Maintenance settings.

Optimize Power Plan Settings

Power profiles in Control Panel > Power Options, where you can switch between various modes, like Balanced, Performance, Power Saving, and others, and make individual changes to different settings - hard disk sleep, PCI and Wireless devices utilization, min/max processor states, and so forth.

Windows includes three default power plan options:

  • Balanced
  • Power Saver
  • High Performance

Laptop Power Plan Switching:

Input power plan in your Start Menu search bar and select the Best match from the results. The Control Panel Power Options page will open. Select your preferred plan, and you’re good to go.

Change Device Power management

To launch the Device Manager, press Win + X, Select Device Manager. Select Ethernet, click properties, power management, uncheck “Allow the computer to turn off this device to save power”. Select Wireless, click properties, power management, uncheck “Allow the computer to turn off this device to save power”

Change Performance Options

Navigate to Control Panel -> System & Security -> System -> Advanced system settings -> Advanced -> Performance settings. Disable all visual effects, except for: “Smooth edges of screen fonts”, “Show window contents”, “Show thumbnails”, “Show translucent selection rectangle”, and “Show shadows under mouse pointer”

Disable the Fast startup:

In the Control Panel, you can also disable the Fast startup - Power Options > Change what the power button does, and then uncheck this thing. It’s a hybrid sleep thingie that can lead to corrupt filesystems if there’s a power loss, plus if you’re dual-booting, your C: drive NTFS filesystem will not be writable under Linux. Alternatively, if you turn hibernation off, Fast startup won’t be available - open command line as admin, and then run:

1

powercfg /h off

Remove default folders from This PC

If you don’t want the default locations like Documents, Pictures, Videos, 3D Objects and alike listed in the sidebar in Windows Explorer, you will need to remove them. In regedit, you will need to navigate to the following paths separately:

1
2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\MyComputer\NameSpace

1
2

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\
Explorer\MyComputer\NameSpace\

And then, in each one of them, remove the following entries - you can export them and save them first before you actually delete them, to be on the safe side, so if you want to restore them, you can:

  • 3D Objects - {0DB7E03F-FC29-4DC6-9020-FF41B59E513A}
  • Desktop - {B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
  • Documents - {A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}, {d3162b92-9365-467a-956b-92703aca08af}
  • Downloads - {374DE290-123F-4565-9164-39C4925E467B}, {088e3905-0323-4b02-9826-5d99428e115f}
  • Music - {1CF1260C-4DD0-4ebb-811F-33C572699FDE}, {3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}
  • Pictures - {3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}, {24ad3ad4-a569-4530-98e1-ab02f9417aa8}
  • Videos - A0953C92-50DC-43bf-BE83-3742FED03C9C}, {f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}

Change Default Apps

  • Head to Settings > Apps > Default apps.
  • Select your preferred apps for each category, including Email, Music player, Web browser, and more.
    • Make Outlook the default program for email.
    • Make foobar2000 the default program for music player.
    • Make Irfanview the default program for photo viewer.
    • Make VLC the default program for video player.
    • Make Chrome the default program for web browser.
  • Below that, click on Choose default apps by file type if you’d like to associate various file types, such as PDF, DOCX, and TXT, with specific programs.
  • For another view, choose Set defaults by app and pick an app to see which defaults it currently has, and which ones it can use.

Modify Hosts File

GoogleTranslateIpCheck

Backup

Symbolic link Junction Hard link
When the link is deleted… The target remains unchanged The target is deleted A reference counter is decremented. When it reaches 0, the target is deleted.
When target is moved… The link becomes invalid The link becomes invalid The link remains valid
Relative path Allowed Not allowed
Can be on a different volume? Yes Yes No
Link to files on Windows Yes No Yes
Link to folders on Windows Yes No
Link to files on Unix Yes Yes
Link to folders on Unix Yes Partial

Says I have to move the files into G Drive, then put the symbolic link where the original folder used to be. Which sucks. I don’t like this solution.

OneDrive

Open Command Prompt.

1

mklink /j "%UserProfile%\OneDrive\backup\configuations" D:\backup\configuations

1

cp "C:\Windows\System32\drivers\etc\hosts" "$env:UserProfile\OneDrive\backup\configuations\windows\hosts"

1

mklink /j %UserProfile%\OneDrive\documents D:\documents

System restore point

Create a system restore point:

  1. In the search box on the taskbar, type Create a restore point, and select it from the list of results.
  2. On the System Protection tab in System Properties, select Create.
  3. Type a description for the restore point, and then select Create > OK.

Reference

Windows 10 essential post-installation tweaks

Windows 10 LTSC Post-Installation Guide

The Complete Guide to Windows 10 Privacy Settings

winget.run

dnscrypt-proxy wiki

I2P usage