Tip-Packed Gem from Microsoft Ignite 2018 – Windows Life Hacks

I came across this top session, 45 Life Hacks in 45 Minutes, from Microsoft Ignite 2018 which I consider to be a gem to Windows enthusiasts. It is packed with useful Windows techniques, many of which are advanced while practical.

This blog post merely summarizes the interesting tips from the session as an entry point – to experience the amazingness of the live demos, please go watch the recorded session on YouTube and look for other works by Sami Laiho from whom I learned a lot.

1. Exit Explorer
  • Windows 10/2016
    • Right-click taskbar > Exit Explorer
  • Windows 8/2012
    • Press Alt+F4 to bring up shutdown dialog. Next, while holding Ctrl+Shift+Alt, click Cancel
2. Violate a Group Policy which e.g. only allows running IE, but not Command Prompt or others
  • In Task Manager > Run New Task
  • It always open a Command Prompt
3. Redo old commands from history without typing again
  • F7 hotkey
  • History of Command Prompt or PowerShell
4. Tab auto completion in Command Prompt
  • *.xlsx then tab in Command Prompt only tab-completes files with *.xlsx extension. Works with any extensions
5. Copy errors in dialog boxes
  • Copy error messages from error dialog by Ctrl+C
6. Perform OCR (Optical Character Recognition) with OneNote
  • Perform a capture in OneNote
  • Right-click pictures and select copy text
7. Figure out error code customer provided without error message
  • Decimal
    • net helpmsg 4006
  • Hex
    • winrm helpmsg 0x65
8. Client-server signaling before attempting a next step
  • WAITFOR [/T timeout] signal
  • Description
    • This tool sends, or waits for, a signal on a system. When /S is not specified, the signal will be broadcasted to all the systems in a domain. If /S is specified, then the signal will be sent only to the specified system.
9. Send command output to clipboard
  • Command Prompt
    • ipconfig | clip
  • PowerShell
    • Get-Service | Set-Clipboard
10. PSExec can encrypt credentials over the wire
  • Joke
    • Who uses PSExec now that we have PowerShell?
    • Mark Russinovich: "How can you remotely enable PowerShell remoting?"
11. Make fun by remotely executing some app under 'local system' user
  • It will be hard for the remote user to get rid of the app (strip off the frame)
  • psexec -sid \\student25 "c:\program files (x86)\Internet Explorer\iexplore.exe" -K http://www.bing.com
12. SYSTEM account is comparable to root of Linux

13. Run multiple registry editors
  • regedit /m
14. Run regedit under SYSTEM account to view secrets at HKLM\SECURITY\Policy\Secrets

15. Cool registry location but too long to remember and type
  • Add to favorites
16. HiveList
  • Registry location that indicates where the physical files of registry are
  • HKLM\SYSTEM\CurrentControlSet\Control\hivelist
  • e.g. For SAM, i.e. \REGISTRY\MACHINE\SAM
    • \Device\HarddiskVolume5\Windows\System32\config\SAM
17. Process Hacker: Impersonate as any logged-on users under another user session
  • Under Process Hacker, right-click explorer.exe > Miscellaneous > Run as this user...
  • If the other logged user is a domain admin, now you are the domain admin
  • Good for service troubleshooting. Impersonate as local system
18. Autoruns: Fix unbootable issue due to driver after Windows 10 upgrade
  • Analyze offline system with Sysinternals Autoruns under Windows PE
  • Boot from Windows installation media (or Windows PE)
  • Uncheck driver
19. Resource Hacker: Change string of Windows 10 new user message ("How are you doing?" "This won't take long", e.g. to fun messages)
  • cd C:\Windows\System32\oobe\en-US\
  • Edit msoobeFirstLogonAnim.dll.mui with Resource Hacker
20. Sysinternals Strings: Use strings.exe to go thru whole binary and it shows binaries that can be used
  • cd C:\Windows\System32\oobe\
  • Strings.exe FirstLogonAnim.exe > temp.txt
  • Change font and speed with FirstLogonAnim.html
21. Run notepad.exe but starts calc.exe instead
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • What gets executed when you type something
  • Create a new key of an application, e.g. "notepad.exe"
  • Create a new REG_SZ type string of value "Debugger" and data "calc.exe"
22. Remove Windows 10 New User Logon Animation
  • Continued from above, create a new key of "FirstLogonAnim.exe"
  • Create a new REG_SZ type string of value "Debugger" and data "NULL"
23. Leverage FirstLogonAnim.exe to display some other strings to block user from doing anything during any tasks, e.g. some SCCM task sequence