云服务器DIY Win10、Win11自定义镜像

云服务器DIY Win10自定义镜像，简单操作的话，用2012R2/2016/2019公共镜像（不要选2022）随便哪个买台cvm，然后挂个10G的数据盘，从微软官网下载win10 iso到数据盘。

server2016→ win10企业版

server2019→ win10企业版

server2022直接用win10、win11原版iso就地升级，最终都会出现0xC1900101 - 0x20017的问题，就是winre.wim没有集成虚拟化驱动使得recovery mode不识别硬盘导致的。

https://www.microsoft.com/zh-cn/software-download/windows10

https://www.microsoft.com/zh-cn/software-download/windows11

也可以从别的地方下载，但需要确保安全性，以下这些我经常用，但微软官网的是最安全的，唯一不好的是，微软官网貌似只提供家庭版。

代码语言：javascript复制

https://www.xitongku.com/
https://msdn.sjjzm.com/
https://msdn.itellyou.cn/
https://next.itellyou.cn/
https://www.uupdump.cn/

https://cnman.github.io/windowsserver.html
https://cnman.github.io/windows.html
https://cnman.github.io/sqlserver.html

下载好iso后，双击打开iso运行其中的setup.exe安装win10覆盖当前server系统的系统即可，完事做个自定义镜像使用。如果想通过这种方式安装win11，需要修改 ISO 镜像，偷天换日：找到 Win10 ISO 里sources目录下的 appraiserres.dll 文件，替换到Win11 ISO 的同位置。完成后，需要使用第三方工具（比如UltraISO、PowerISO等）重新创建 ISO 镜像，然后运行setup.exe。

重新创建 ISO很简单，用UltraISO/PowerISO打开原ISO，然后把要替换的文件拖到目标位置替换，然后另存为新的ISO文件即可。

3种方法让win11 iso跳过硬件检测，让普通机器也能安装win11，前面提到的只是其中1种，具体参考：

https://cloud.tencent.com/developer/article/2404867

运行setup.exe安装过程中，注意这几个处

选企业版或专业工作站版

系统可能会自动重启几次，需要全程在vnc观察进度，不要看黑屏就贸然重启机器，这样会损坏安装过程，比如

这里有一个4分钟的录屏介绍：https://cloud.tencent.com/developer/video/79020

Windows就地升级系统后如何恢复网络和远程

https://cloud.tencent.com/developer/article/2400772

做个Windows镜像初版简单，优化注意事项挺多的，以下知识点扩展不一定是必须的，根据个人所需选用

禁止下载的文件带安全锁定

代码语言：javascript复制

reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesAttachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>&1 > $null
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesAttachments" /v SaveZoneInformation /t REG_DWORD /d 1 /f 2>&1 > $null

远程的时候，选择在本地播放、在本地录制音频，录制页签没有音频设备这样来解决

代码语言：javascript复制

经研究，远程录制音频方面的体验，微软把NT10整了3类：
server2016-2022，默认不支持，配置远程桌面会话主机可支持
win10（专业版/企业版/工作站版），默认如果不支持，那就组策略配置远程桌面会话主机→ 设备和资源重定向→ 启用音视频播放重定向和录制重定向后可支持
win11（专业版/企业版/工作站版），默认就支持

有显卡的windows机器如果担心显卡驱动自动更新影响稳定性，可以设置系统更新排除更新驱动程序

代码语言：javascript复制

reg add "HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate"  /v "ExcludeWUDriversInQualityUpdate" /d 1 /t REG_DWORD /f
reg add "HKLMSoftwareMicrosoftPolicyManagerdefaultUpdate"  /v "ExcludeWUDriversInQualityUpdate" /d 1 /t REG_DWORD /f

HKEY_LOCAL_MACHINESOFTWARENVIDIA CorporationGlobalCoProcManagerAutoDownload，它是用于控制 NVIDIA 协处理器驱动程序的自动下载的。如果您不需要控制 NVIDIA 协处理器驱动程序的自动下载，可以将 AutoDownload 的值设置为 0 来禁用它。

代码语言：javascript复制

reg add "HKCUSOFTWARENVIDIA CorporationGlobalGFExperience" /v "NotifyNewDisplayUpdates" /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINESOFTWARENVIDIA CorporationGlobalCoProcManager" /v "AutoDownload" /t REG_DWORD /d 0 /f

安装虚拟声卡后在vnc会话中录音，发现录不了的时候检查下麦克风权限

运行这个命令开启麦克风访问权限

代码语言：javascript复制

ms-settings:privacy-microphone

其他ms-settings命令了解一下：https://cloud.tencent.com/developer/article/2329408

缓解vnc鼠标拖影

代码语言：javascript复制

reg add "HKEY_CURRENT_USERControl PanelMouse" /v "MouseSpeed" /t REG_DWORD /d 0 /f
reg add "HKEY_USERS.DEFAULTControl PanelMouse" /v "MouseSpeed" /t REG_DWORD /d 0 /f

启用WinRM

代码语言：javascript复制

winrm quickconfig -q 2>&1> $null;winrm quickconfig -q -force 2>&1> $null;netstat -ano|findstr :5985;
reg delete "HKLMSOFTWAREPoliciesMicrosoftWindowsWinRM" /f 2>$null
stop-service mpssvc 2>&1 > $null
winrm quickconfig -q 2>&1 > $null
winrm quickconfig -q -force 2>&1 > $null
restart-service winrm 2>&1 > $null
#Set-Item WSMan:localhostclienttrustedhosts -value * -force 2>&1 > $null
winrm set winrm/config/client '@{TrustedHosts="*"}' 2>&1 > $null
#netstat -ato|findstr :5985

禁止vnc锁屏

代码语言：javascript复制

powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
powercfg -x -monitor-timeout-dc 0
powercfg -x -monitor-timeout-ac 0
reg add "HKLMSOFTWAREPoliciesMicrosoftWindowsPersonalization" /v "NoLockScreen" /d 1 /t REG_DWORD /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DisableLockWorkstation" /d 1 /t REG_DWORD /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAuthenticationLogonUISessionData" /v "AllowLockScreen" /d 0 /t REG_DWORD /f
schtasks.exe /create /tn "nolockscreen" /ru SYSTEM /rl highest /sc ONSTART /tr "reg add 'HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAuthenticationLogonUISessionData' /v AllowLockScreen /d 0 /t REG_DWORD /f" /f

右下角时间显示秒

代码语言：javascript复制

reg add "HKEY_USERS.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>&1 > $null
reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>&1 > $null
#reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced" /v ShowSecondsInSystemClock /t REG_DWORD /d 1 /f 2>&1 > $null

schtasks.exe /create /tn "show_time_miao_second" /ru Administrator /rl highest /sc ONLOGON /tr "reg add 'HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced' /v ShowSecondsInSystemClock /d 1 /t REG_DWORD /f" /f

启用和更改远程端口

代码语言：javascript复制

(gwmi -class win32_terminalservicesetting -namespace "rootcimv2terminalservices").setallowtsconnections(1)
$portvalue = 3389
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -name "PortNumber" -Value $portvalue
#New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort $portvalue
#New-NetFirewallRule -DisplayName 'RDPPORTLatest-UDP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol UDP -LocalPort $portvalue
#powershell -c "& { restart-service termservice -force}"

更新根证书

代码语言：javascript复制

#del C:WURoots.sst 2>$null
del C:authroots.sst 2>$null
del C:roots.sst 2>$null
del C:updroots.sst 2>$null
$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')

wget.exe http://windowscq-1251783334.cos.ap-chongqing.myzijiebao.com/updroots.exe -O c:windowsupdroots.exe 2>&1 > $null
while(((Test-Path c:authroots.sst) -eq $false) -or ((Test-Path c:roots.sst) -eq $false) -or ((Test-Path c:updroots.sst) -eq $false)){
wget.exe http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authroots.sst -O c:authroots.sst 2>&1 > $null
wget.exe http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/roots.sst -O c:roots.sst 2>&1 > $null
wget.exe http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/updroots.sst -O c:updroots.sst 2>&1 > $null
}
$Certs = get-childitem Cert:LocalMachineRoot
if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){
#wget.exe http://windowscq-1251783334.cos.ap-chongqing.myzijiebao.com/WURoots.sst -O c:WURoots.sst 2>&1 > $null
$Certs| ForEach-Object {
  $store = Get-Item $_.PSParentPath
  $store.Open('ReadWrite')
  $store.Remove($_)
  $store.Close()
}
}else{
#while( (Test-Path C:WURoots.sst) -eq $false ){
#certutil -generateSSTFromWU C:WURoots.sst 2>&1 > $null
#}
$Certs | %{Remove-Item -path $_.PSPath -recurse -Force}
}

#[UpdRoots -open SrcStore failed=>0x2(2)], replace with https://msfn.org/board/topic/181915-system-certificates-updater-the-easy-way/
#updroots.exe c:WURoots.sst
start-sleep -s 5
updroots c:authroots.sst
start-sleep -s 5
updroots c:roots.sst
start-sleep -s 5
updroots c:updroots.sst
start-sleep -s 5
#certmgr.msc
#del C:WURoots.sst 2>$null
del C:authroots.sst 2>$null
del C:roots.sst 2>$null
del C:updroots.sst 2>$null

更改默认键盘为英文

代码语言：javascript复制

reg add "HKCUKeyboard LayoutPreload" /v "1" /d 00000409 /t REG_SZ /f 2>&1 > $null
reg add "HKCUKeyboard LayoutPreload" /v "2" /d 00000804 /t REG_SZ /f 2>&1 > $null

reg add "HKLMSYSTEMKeyboard LayoutPreload" /v "1" /d 00000409 /t REG_SZ /f 2>&1 > $null
reg add "HKLMSYSTEMKeyboard LayoutPreload" /v "2" /d 00000804 /t REG_SZ /f 2>&1 > $null

reg add "HKEY_USERS.DEFAULTKeyboard LayoutPreload" /v "1" /d 00000409 /t REG_SZ /f 2>&1 > $null
reg add "HKEY_USERS.DEFAULTKeyboard LayoutPreload" /v "2" /d 00000804 /t REG_SZ /f 2>&1 > $null

reg add "HKLMSYSTEMCurrentControlSetControlKeyboard Layout" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>&1 > $null
reg add "HKLMSYSTEMCurrentControlSetControlKeyboard Layouts" /v IgnoreRemoteKeyboardLayout /t REG_DWORD /d 1 /f 2>&1 > $null

设置数据盘自动联机

代码语言：javascript复制

"SAN Policy=OnlineAll" | diskpart
""

禁止任何情况下（比如没有公网时）都强制校验https

代码语言：javascript复制

reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings" /v CertificateRevocation /t REG_DWORD /d 0 /f 2>&1 > $null
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings" /v CertificateRevocation /t REG_DWORD /d 0 /f 2>&1 > $null
reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing" /v State /t REG_DWORD /d 0x23e00 /f 2>&1 > $null

设置开机计划任务加快开机校时和实现间隔在1分钟内的校时频率，并设置腾讯云内网ntpserver

NtpServer设置为:

time1.tencentyun.com time2.tencentyun.com time3.tencentyun.com time4.tencentyun.com time5.tencentyun.com

代码语言：javascript复制

reg delete "HKLMSYSTEMCurrentControlSetControlTimeZoneInformation" /v "RealTimeIsUniversal" /f 2>$null

$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/timesync.ps1 -O c:timesync.ps1
powershell -file c:timesync.ps1

关机做镜像的前释放dhcp获取的ip并删除网卡设备，需要在vnc中执行命令

代码语言：javascript复制

reg delete "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetworkListProfiles" /f 2>$null
reg add "HKLMSYSTEMCurrentControlSetControlNetworkNewNetworkWindowOff" /f 2>&1 > $null

$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/devcon.exe -O c:windowsdevcon.exe
ipconfig /release;devcon.exe /r remove "PCIVEN_1AF4&DEV_1000&SUBSYS_00011AF4&REV_00"

修复cloudbase-init缺失的链接文件

代码语言：javascript复制

cmd.exe /c mklink "c:python_cloudbaseinit" "C:Program FilesCloudbase SolutionsCloudbase-InitPython"  /D 2>$null

修正默认路由metric优先级

代码语言：javascript复制

#getgw
$gw=(Get-WmiObject win32_networkadapterconfiguration -filter "ipenabled = 'true'").defaultipgateway

if([string]::IsNullOrEmpty($gw)){
$gw=(Get-WmiObject win32_networkadapterconfiguration -filter "ipenabled = 'true'").DHCPServer
}

if([string]::IsNullOrEmpty($gw)){
$interface = (Get-WmiObject Win32_NetworkAdapter -Filter 'NetEnabled=True').GUID
$string=reg query "HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfaces$interface" | findstr /i DhcpServer
$gw = $string -split 's ' | Select-Object -Last 1
}


#set route metric
$NICName=(Get-WmiObject Win32_NetworkAdapter -Filter 'NetEnabled=True').NetConnectionID
foreach ($interfacename in $NICName) {
netsh interface ip set interface interface="$interfacename" metric=1
}

#set defaultgw metric
$interfaces = Get-WmiObject Win32_NetworkAdapter -Filter 'NetEnabled=True' | ForEach-Object { $_.GUID }
foreach ($interfaceGuid in $interfaces) {
    $registryPath = "HKLM:SYSTEMCurrentControlSetServicesTcpipParametersInterfaces$interfaceGuid"
    REG ADD "HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfaces$interfaceGuid" /v DefaultGatewayMetric /t REG_MULTI_SZ /d "1" /f
    REG ADD "HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfaces$interfaceGuid" /v DefaultGateway /t REG_MULTI_SZ /d "$gw" /f
    REG ADD "HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfaces$interfaceGuid" /v DhcpDefaultGateway /t REG_MULTI_SZ /d "$gw" /f
}

创建powershell副本

代码语言：javascript复制

cmd.exe /c "copy /Y %systemroot%System32WindowsPowerShellv1.0powershell.exe %systemroot%system32wt.exe 2>&1 > nul" 2>&1 > $null
cmd.exe /c "copy /Y %systemroot%System32WindowsPowerShellv1.0powershell.exe %systemroot%wt.exe 2>&1 > nul" 2>&1 > $null

禁用defender部分功能(需提权，参考此文)

代码语言：javascript复制

New-Item 'HKLM:SOFTWAREPoliciesMicrosoftWindows Defender' -Force 2>&1 >$null
reg delete "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderScan" /v "ScheduleQuickScanTime" /f 2>$null
reg delete "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderScan" /v "ScheduleQuickScanTime" /f 2>$null

reg delete "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderSignature Updates" /v "DefinitionUpdateFileSharesSources" /f 2>$null
reg delete "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "DefinitionUpdateFileSharesSources" /f 2>$null

reg delete "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /f 2>$null
reg delete "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /va /f 2>&1 >$null

$registryPath = "HKLM:SOFTWAREPoliciesMicrosoftWindows Defender"
Get-ItemProperty -Path $registryPath | Remove-ItemProperty -Name * -ErrorAction SilentlyContinue
Get-ChildItem -Path $registryPath | Remove-Item -Recurse -Force -ErrorAction SilentlyContinue

reg add "HKLMSoftwareMicrosoftWindows Defender Security CenterNotifications" /v "DisableNotifications" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender Security CenterNotifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "SignatureDisableNotification" /d 0 /t REG_DWORD /f

#Restart-Service WinDefend -Force -ErrorAction SilentlyContinue
#Restart-Service WdNisSvc -Force -ErrorAction SilentlyContinue
Start-Service WinDefend -ErrorAction SilentlyContinue
Start-Service WdNisSvc -ErrorAction SilentlyContinue

Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f

Set-MpPreference -DisableIOAVProtection $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f

Set-MpPreference -DisableArchiveScanning $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderScan" /v "DisableArchiveScanning" /d 1 /t REG_DWORD /f

Set-MpPreference -MAPSReporting 0 -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSpynet" /v "SpynetReporting" /d 0 /t REG_DWORD /f

Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSpynet" /v "SubmitSamplesConsent" /d 2 /t REG_DWORD /f

Set-MpPreference -EnableControlledFolderAccess Disabled -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderWindows Defender Exploit GuardControlled Folder Access" /v "EnableControlledFolderAccess" /d 0 /t REG_DWORD /f

Set-MpPreference -PUAProtection Disabled -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "PUAProtection" /d 0 /t REG_DWORD /f

Set-MpPreference -SignatureFallbackOrder FileShares -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f

Set-MpPreference -SignatureScheduleDay Never -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f

Set-MpPreference -SharedSignaturesPath c:dummyPath -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "SharedSignatureRoot" /d "c:dummyPath" /t REG_SZ /f

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources "\unc1 | \unc2" -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "DefinitionUpdateFileSharesSources" /d "\unc1 | \unc2" /t REG_SZ /f

Set-MpPreference -CheckForSignaturesBeforeRunningScan $false -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderScan" /v "CheckForSignaturesBeforeRunningScan" /d 0 /t REG_DWORD /f

Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection" /v "LocalSettingOverrideDisableRealtimeMonitoring" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection" /v "DisableScanOnRealtimeEnable" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "RealtimeSignatureDelivery" /d 0 /t REG_DWORD /f

Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "DisableUpdateOnStartupWithoutEngine" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "UpdateOnStartUp" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "DisableScanOnUpdate" /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderMiscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f

Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -ModerateThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -LowThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
Set-MpPreference -SevereThreatDefaultAction 6 -Force -ErrorAction SilentlyContinue
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "DisableRoutinelyTakingAction" /d 1 /t REG_DWORD /f

Stop-Service WdNisSvc 2>&1 > $null
Stop-Service WinDefend 2>&1 > $null
Stop-Service MpsSvc 2>&1 > $null
Stop-Service wscsvc 2>&1 > $null
Stop-Service SecurityHealthService 2>&1 > $null
Stop-Service Sense 2>&1 > $null



Set-Service WdNisSvc -StartupType Disabled 2>&1 > $null
Set-Service WinDefend -StartupType Disabled 2>&1 > $null
Set-Service MpsSvc -StartupType Disabled 2>&1 > $null
Set-Service wscsvc -StartupType Disabled 2>&1 > $null
Set-Service SecurityHealthService -StartupType Disabled 2>&1 > $null
Set-Service Sense -StartupType Disabled 2>&1 > $null


reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
reg add  "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderReal-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg add "HKLMSoftwareMicrosoftWindows Defender Security CenterNotifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
reg add "HKLMSoftwarePoliciesMicrosoftWindows Defender Security CenterNotifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f

Get-ScheduledTask -TaskPath "MicrosoftWindowsData Integrity Scan","MicrosoftWindowsApplicationData","MicrosoftWindowsDefrag","MicrosoftWindowsDiskCleanup","MicrosoftWindowsDiskDiagnostic","MicrosoftWindowsDiskFootprint","MicrosoftWindowsWindows Defender","MicrosoftWindowsMaintenance" 2>$null | Disable-ScheduledTask 2>$null

做镜像前清理一些日志文件

代码语言：javascript复制

stop-service BaradAgentSvc 2>&1 > $null
stop-service StargateSvc 2>&1 > $null
stop-service YDLive 2>&1 > $null
stop-service YDService 2>&1 > $null
stop-service tatsvc 2>&1 > $null

write-host > c:windowsipconfig_xen_vm.ini

del "C:Program FilesCloudbase SolutionsCloudbase-Initlog*" 2>$null
del "C:Program FilesQCloudLogs*" 2>$null
del "C:Program FilesQCloudMonitorBaradlogs*" 2>$null
del "C:Program FilesQCloudStargatelogs*" 2>$null
del "C:Program FilesQCloudYunJinglog*" 2>$null
del "C:WindowsSystem32SysprepPanther*.log" 2>$null
del "C:WindowsPanther*.log" 2>$null
del "C:WindowsPantherUnattendGC*.log" 2>$null
del "C:cvm_init.log" 2>$null
del "C:WindowsLogsWindowsUpdate*" 2>$null
del "C:WindowsINFsetupapi.dev.log" 2>$null
del "C:WindowsINFsetupapi.setup.log" 2>$null

wevtutil el | Foreach-Object {wevtutil cl "$_" 2>$null}
wevtutil cl security 2>$null
wevtutil cl system 2>$null

cmd.exe /c del /F /Q C:UsersAdministratorAppDataRoamingMicrosoftWindowsRecent* 2>$null
#Remove-Item (Get-PSReadlineOption).HistorySavePath
#cmd.exe /c "echo.>%userprofile%AppDataRoamingMicrosoftWindowsPowerShellPSReadlineConsoleHost_history.txt"
clear-history

连公网的情况下激活系统

代码语言：javascript复制

cmd.exe /c "cscript /nologo %windir%/system32/slmgr.vbs -skms kms.03k.org:1688" 2>&1 > $null
cmd.exe /c "cscript /nologo %windir%/system32/slmgr.vbs -ato" 2>&1 > $null

给recover模式内核winre.wim集成虚拟化驱动

代码语言：javascript复制

$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/devcon.exe -O c:windowsdevcon.exe

$client1 = new-object System.Net.WebClient
$client1.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/7z2200-x64.msi','c:7z2200-x64.msi')

msiexec.exe /i c:7z2200-x64.msi /qn
Start-Sleep 30
del c:7z2200-x64.msi 2>$null

#if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){
#echo "only support >= Server2012 R2 or >= Windows8.1"
#exit
#}

#if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){
#$client = new-object System.Net.WebClient
#$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')
#}


if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2"){

if((wmic diskdrive where index=0 list full /format:list|findstr Partitions).split("=")[1] -eq 1){
#if((Get-Partition -DriveLetter C).PartitionNumber -eq 1){

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/2008R2autounattend1.xml -O C:WindowsWin10autounattend.xml
}else{

#if((Get-Partition -DriveLetter C).PartitionNumber -eq 2){
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/2008R2autounattend2.xml -O C:WindowsWin10autounattend.xml
}

}elseif((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "Windows 7"){
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win7autounattend.xml -O C:WindowsWin10autounattend.xml
}elseif((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "Windows 8.1|Windows 10|Windows 11"){
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win10unattend_pro.xml -O C:WindowsWin10autounattend.xml
}else{
wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/unattend_pro.xml -O C:WindowsWin10autounattend.xml
}

if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win7_Win2008R2.zip -O c:drivers.zip

}elseif((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2012 R2|Windows 8.1"){

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win8.1_Win2012R2.zip -O c:drivers.zip

}else{

wget.exe http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/115.159.148.149/Win10_2016_2019.zip -O c:drivers.zip

}

cmd.exe /c rd /S /Q c:drivers 2>&1 > $null


if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|2012 R2|Windows 7|Windows 8.1"){
& "$env:ProgramFiles7-Zip7z.exe" x -aoa c:drivers.zip -oc:drivers
}else{
expand-archive -path "c:drivers.zip" -destinationpath c:drivers
}

pnputil -i -a c:driversamd64viostor.inf
pnputil -i -a c:driversamd64netkvm.inf


#reagentc /info

mkdir C:boottmp -force
$RecoveryPath=((reagentc /info|findstr GLOBALROOT).split(":")[1].split("y")[1] 2>$null).remove(0,1)
$RecoveryPathRoot="C:"

if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2012 R2|2016"){
if((Get-Partition -DiskNumber 0 -PartitionNumber 1).DriveLetter -ne "C"){
#Get-Partition -DiskNumber 0 -PartitionNumber 1 | Set-Partition -NewDriveLetter O 2>&1 > $null

$datapan = @"
sel disk 0
sel part 1
assign letter=O
"@

$datapan|diskpart

$RecoveryPathRoot="O:"
}
}


if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2008 R2|Windows 7"){

Dism /Get-WimInfo /WimFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim"
Dism /Mount-Wim /WimFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim" /index:1 /MountDir:"C:boottmp"

Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64viostor.inf" /ForceUnsigned
Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64netkvm.inf" /ForceUnsigned

Dism /Image:"C:boottmp" /Get-Drivers
Dism /Unmount-Wim /MountDir:"C:boottmp" /Commit
#Dism /Unmount-Wim /MountDir:"C:boottmp" /Discard

}else{

Dism /Get-ImageInfo /ImageFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim"
Dism /Mount-Image /ImageFile:"$RecoveryPathRootRecovery$RecoveryPathWinre.wim" /index:1 /MountDir:"C:boottmp"

Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64viostor.inf" /ForceUnsigned
Dism /Add-Driver /Image:"C:boottmp" /Driver:"C:driversamd64netkvm.inf" /ForceUnsigned

Dism /Image:"C:boottmp" /Get-Drivers
Dism /Unmount-Image /MountDir:"C:boottmp" /Commit
#Dism /Unmount-Image /MountDir:"C:boottmp" /Discard

}




if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "2012 R2|2016"){
if((Get-Partition -DiskNumber 0 -PartitionNumber 1).DriveLetter -ne "C"){
#Remove-PartitionAccessPath -DiskNumber 0 -PartitionNumber 1 -Accesspath O:
$datapan = @"
sel disk 0
sel part 1
remove letter=O
"@

$datapan|diskpart

}
}

cmd.exe /c rd /S /Q C:boottmp 2>&1 > $null
cmd.exe /c rd /S /Q C:drivers 2>$null

关闭防火墙

代码语言：javascript复制

netsh advfirewall set allprofiles state off

reg delete HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyFirewallRules /va /f 2>$null
reg delete HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyRestrictedServicesConfigurableSystem /va /f 2>$null

reg delete HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyFirewallRules /va /f 2>$null
reg delete HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyRestrictedServicesConfigurableSystem /va /f 2>$null

reg delete HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesSharedAccessParametersFirewallPolicyFirewallRules /va /f 2>$null
reg delete HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesSharedAccessParametersFirewallPolicyRestrictedServicesConfigurableSystem /va /f 2>$null

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicy" /v DeleteUserAppContainersOnLogoff /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicy" /v DeleteUserAppContainersOnLogoff /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesSharedAccessParametersFirewallPolicy" /v DeleteUserAppContainersOnLogoff /t REG_DWORD /d 1 /f

开启密码复杂度，注意这里是在cmd里执行，或者另存为.bat执行

代码语言：javascript复制

secedit /export /cfg c:secpol.cfg

echo. >c:out.txt

type c:secpol.cfg | findstr -i complex >>c:out.txt

powershell -command "(GC C:secpol.cfg) -Replace "PasswordComplexity = 0","PasswordComplexity = 1" | Out-File C:secpol.cfg"

echo. >>c:out.txt

type c:secpol.cfg | findstr -i complex >>c:out.txt

secedit /configure /db c:windowssecuritylocal.sdb /cfg c:secpol.cfg /areas SECURITYPOLICY

del /q c:secpol.cfg

type c:out.txt

del /q c:out.txt

del %windir%securitylogsscesrv.log

powershell -command "Set-ExecutionPolicy Unrestricted -force"
@rem wmic pagefile list /format:list
@rem start /w pkgmgr /iu:"TelnetClient"
cmd.exe /c "start /w pkgmgr /iu:TelnetClient"

优化smb 、nfs客户端list file/files的速度

代码语言：javascript复制

reg add "HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanworkstationParameters" /v "FileInfoCacheLifetime" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanworkstationParameters" /v "FileNotFoundCacheLifetime" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanworkstationParameters" /v "DirectoryCacheLifetime" /d 0 /t REG_DWORD /f

reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftClient for NFSCurrentVersionUsersDefaultCache" /v "AttributeTimeDelta" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftClient for NFSCurrentVersionUsersDefaultCache" /v "FileAttributeCache" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftClient for NFSCurrentVersionUsersDefaultCache" /v "RemoteWriteCache" /d 0 /t REG_DWORD /f

清理垃圾文件，注意这里是在cmd里执行，或者另存为.bat执行

代码语言：javascript复制

#先是创建注册表项打标，标记要清理哪些东西
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesDelivery Optimization Files"  /v StateFlags6550 /t REG_DWORD /d 2 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesDownloadsFolder"          /v StateFlags6550 /t REG_DWORD /d 2 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesInternet Cache Files"       /v StateFlags6550 /t REG_DWORD /d 2 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesRecycle Bin"            /v StateFlags6550 /t REG_DWORD /d 2 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesTemporary Files"          /v StateFlags6550 /t REG_DWORD /d 2 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesUpdate Cleanup"          /v StateFlags6550 /t REG_DWORD /d 2 /f
#然后中间有一句cleanmgr /sagerun:6550 根据打标来执行
cleanmgr /sagerun:6550 2>$null
#然后就是清理先前创建的注册表项
reg delete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesDelivery Optimization Files"  /v StateFlags6550 /f
reg delete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesDownloadsFolder"        /v StateFlags6550 /f
reg delete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesInternet Cache Files"      /v StateFlags6550 /f
reg delete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesRecycle Bin"          /v StateFlags6550 /f
reg delete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesTemporary Files"        /v StateFlags6550 /f
reg delete "HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerVolumeCachesUpdate Cleanup"         /v StateFlags6550 /f


rd /s /q %SYSTEMDRIVE%WindowsTemp 2>nul 1>nul
@rem rd /s /q "%SYSTEMDRIVE%WindowsDownloaded Program Files" 2>nul 1>nul
rd /s /q %SYSTEMDRIVE%$Recycle.bin 2>nul 1>nul

@rem %SYSTEMDRIVE%WindowsSystem32cleanmgr.exe /d C /verylowdisk 2>nul 1>nul
@rem %SYSTEMDRIVE%WindowsSystem32cleanmgr.exe /d C /autoclean 2>nul 1>nul

备份hosts文件并添加常规内网域名解析，注意这里是在cmd里执行，或者另存为.bat执行

代码语言：javascript复制

set datemine=�te:~0,4%�te:~5,2%�te:~8,2%
echo;%time:~0,1%|find " "&&(set timehour=0%time:~1,1%) || (set timehour=%time:~0,2%)
set timeother=%time:~3,2%%time:~6,2%
set filename=�temine%%timehour%%timeother%
copy c:windowssystem32driversetchosts c:windowssystem32driversetc%filename%_hosts

echo.>c:windowssystem32driversetchosts

echo 169.254.0.3  mirrors.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.15  update2.agent.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.4  receiver.barad.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.5  custom.message.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.10.10  metadata.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.23  metadata.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.19  kms.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.54  kms1.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.26  windowsupdate.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.2  ntpupdate.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.79  time1.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.80  time2.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.81  time3.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.82  time4.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.83  time5.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.55  s.yd.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.55  l.yd.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.55  u.yd.tencentyun.com>>  c:windowssystem32driversetchosts

echo 169.254.0.138 notify.tat-tc.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.138 invoke.tat-tc.tencentyun.com>>  c:windowssystem32driversetchosts
echo 169.254.0.138 invoke.tat-tc.tencent.cn>>  c:windowssystem32driversetchosts
echo 169.254.0.138 invoke.tat-tc.tencent.com.cn>>  c:windowssystem32driversetchosts
echo 169.254.0.138 invoke.tat.tencent-cloud.com>>  c:windowssystem32driversetchosts
echo 169.254.0.138 notify.tat-tc.tencent.cn>>  c:windowssystem32driversetchosts
echo 169.254.0.138 notify.tat-tc.tencent.com.cn>>  c:windowssystem32driversetchosts
echo 169.254.0.138 notify.tat.tencent-cloud.com>>  c:windowssystem32driversetchosts

机器有公网的话，按下面的powershell命令来安装，机器没公网的话，按官网文档来

代码语言：javascript复制

$client1 = new-object System.Net.WebClient
$client1.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/7z2200-x64.msi','c:7z2200-x64.msi')

msiexec.exe /i c:7z2200-x64.msi /qn
Start-Sleep 30
del c:7z2200-x64.msi 2>$null

cmd.exe /c rd /S /Q C:tat_agent_windows_x86_64 2>&1 > $null
del c:tat_agent_windows_x86_64.zip 2>&1 > $null
$client = new-object System.Net.WebClient
$client.DownloadFile('http://tat-gz-1258344699.cos.ap-guangzhou.myzijiebao.com/tat_agent_windows_x86_64.zip',' c:tat_agent_windows_x86_64.zip')
& "$env:ProgramFiles7-Zip7z.exe" x -aoa c:tat_agent_windows_x86_64.zip -oC:tat_agent_windows_x86_64
cmd /c C:tat_agent_windows_x86_64uninstall.bat 2>&1 >$null
cmd /c C:tat_agent_windows_x86_64install.bat 2>&1 >$null
cmd.exe /c rd /S /Q C:tat_agent_windows_x86_64 2>&1 > $null
del c:tat_agent_windows_x86_64.zip 2>$null

关闭/开启 UAC，建议关闭

代码语言：javascript复制

关闭UAC
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v EnableLUA /t REG_DWORD /d 0 /f

开启UAC
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" /v EnableLUA /t REG_DWORD /d 1 /f

资源管理器隐藏/显示 onedrive

代码语言：javascript复制

隐藏onedrive
reg add "HKEY_CLASSES_ROOTCLSID{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /t REG_DWORD /d 0 /f

恢复onedrive
reg add "HKEY_CLASSES_ROOTCLSID{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /t REG_DWORD /d 1 /f

禁止关机清理pagefile，会验证拖长关机时间

代码语言：javascript复制

reg add "HKLMSYSTEMCurrentControlSetControlSession ManagerMemory Management"  /v "ClearPageFileAtShutdown" /d 0 /t REG_DWORD /f

显性设置Wired AutoConfig开机自动运行

代码语言：javascript复制

Set-Service -Name RasAuto -StartupType Manual
Set-Service -Name RasMan -StartupType Manual
Set-Service -Name dot3svc -StartupType Automatic
sc.exe config dot3svc start= auto

优化网卡收包速度

代码语言：javascript复制

$NICName=(Get-WmiObject Win32_NetworkAdapter -Filter 'NetEnabled=True').NetConnectionID
#Close RSS
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "*RSS" -RegistryValue 0
#Close Checksum Offload
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "*IPChecksumOffloadIPv4" -RegistryValue 0
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "*TCPChecksumOffloadIPv4" -RegistryValue 0
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "*TCPChecksumOffloadIPv6" -RegistryValue 0
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "*UDPChecksumOffloadIPv4" -RegistryValue 0
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "*UDPChecksumOffloadIPv6" -RegistryValue 0
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "OffLoad.RxCS" -RegistryValue 0
#Change Init.MaxRxBuffers to 1024
Set-NetAdapterAdvancedProperty -Name $NICName -RegistryKeyword "RxCapacity" -RegistryValue 1024
#Restart NIC
Restart-NetAdapter -Name $NICName -Confirm:$false
Set-ItemProperty HKLM:SYSTEMCurrentControlSetServicesAFDParameters -Name "DoNotHoldNicBuffers" -Value "1" -Force

关闭存储感知和磁盘相关计划任务

代码语言：javascript复制

reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsStorageSense"  /v "AllowStorageSenseGlobal" /d 0 /t REG_DWORD /f
Get-ScheduledTask -TaskPath "MicrosoftWindowsData Integrity Scan","MicrosoftWindowsApplicationData","MicrosoftWindowsDefrag","MicrosoftWindowsDiskCleanup","MicrosoftWindowsDiskDiagnostic","MicrosoftWindowsDiskFootprint","MicrosoftWindowsWindows Defender","MicrosoftWindowsMaintenance" 2>$null | Disable-ScheduledTask 2>$null

设置快速访问中是否显示最近使用的文件

代码语言：javascript复制

reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer" /v "ShowRecent" /t REG_DWORD /d 0 /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer" /v "ShowFrequent" /t REG_DWORD /d 1 /f
reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer" /v "ShowCloudFilesInQuickAccess" /t REG_DWORD /d 0 /f

禁止DDACLSys（数据盘文件特别多的时候，sysprep镜像每次重装系统可能都会卡很长时间，禁了有好处）

代码语言：javascript复制

reg add "HKLMSystemSetup" /v DDACLSys_Disabled /t REG_DWORD /d 1 /f

代码语言：javascript复制

统计文件数
cd /d C:
dir D: /b /s /a-d | find /v /c ""
dir G: /b /s /a-d | find /v /c ""
数据盘是什么盘符就换成什么盘符

提前内置一些排障工具到Windows系统大有好处

比如www.nirsoft.net的提权工具和日志分析工具、抓包工具、微软的windows performance toolkit和sysinternals工具等

代码语言：javascript复制

一、www.nirsoft.net的提权工具、日志分析工具等
用AdvancedRun提权
https://cloud.tencent.com/developer/article/2285183
wget http://www.nirsoft.net/utils/advancedrun-x64.zip -Outfile r:downloadsadvancedrun-x64.zip

用FullEventLogView分析日志
https://cloud.tencent.com/developer/article/1866711
wget http://www.nirsoft.net/utils/fulleventlogview-x64.zip -Outfile r:downloadsfulleventlogview-x64.zip

二、微软sysinternals工具
http://live.sysinternals.com/accesschk.exe
http://live.sysinternals.com/accesschk64.exe
http://live.sysinternals.com/Procmon.exe
http://live.sysinternals.com/Procmon64.exe
http://live.sysinternals.com/PsExec.exe
http://live.sysinternals.com/PsExec64.exe
http://live.sysinternals.com/Autoruns.exe
http://live.sysinternals.com/Autoruns64.exe
http://live.sysinternals.com/procexp.exe
http://live.sysinternals.com/procexp64.exe

wget http://live.sysinternals.com/accesschk.exe -Outfile r:downloadsaccesschk.exe
wget http://live.sysinternals.com/accesschk64.exe -Outfile r:downloadsaccesschk64.exe
wget http://live.sysinternals.com/Procmon.exe -Outfile r:downloadsProcmon.exe
wget http://live.sysinternals.com/Procmon64.exe -Outfile r:downloadsProcmon64.exe
wget http://live.sysinternals.com/PsExec.exe -Outfile r:downloadsPsExec.exe
wget http://live.sysinternals.com/PsExec64.exe -Outfile r:downloadsPsExec64.exe
wget http://live.sysinternals.com/Autoruns.exe -Outfile r:downloadsAutoruns.exe
wget http://live.sysinternals.com/Autoruns64.exe -Outfile r:downloadsAutoruns64.exe
wget http://live.sysinternals.com/procexp.exe -Outfile r:downloadsprocexp.exe
wget http://live.sysinternals.com/procexp64.exe -Outfile r:downloadsprocexp64.exe

如何确认系统或业务进程加载了哪些.sys驱动和.dll文件？用procmon
左侧选System进程或业务进程，选择后点“view → Lower Pane View → Dlls (Ctrl D)”，在下方会显示.sys、.dll

procexp查看Privileges稍显麻烦，用accesschk查看很方便
https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
示例：
-p表示process name or PID
accesschk64.exe -p -f -v powershell
accesschk64.exe -p -f -v 5688


三、杀毒防护软件
火绒、赛门铁克、360系统急救箱
360系统急救箱：http://www.360.cn/jijiuxiang/guide.html

四、抓包工具
1、wireshark
https://2.na.dl.wireshark.org/win64/all-versions/
2、微软的Network Monitor
针对网络挂盘explorer hang的问题，需要提前内置Network Monitor
首先，问题发生时尝试收集explorer的dump日志（任务管理器 → 详细信息 → 找到未响应的explorer.exe右击点"创建转储文件"）以及网络报文，如果资源管理器卡到不足以收集转储文件和网络报文，想办法收集内存转储文件（①需提前配置pagefile 30G，太小可能不足以生成充分信息的.dmp文件；②收集时，需要在母机上注入nmi中断，触发Windows系统主动蓝屏并生成dump文件，过程中耐心等待不要人为干预机器状态直到恢复正常，把c:windowsmemory.dmp的.7z压缩包提供过来）

其次，需要收集网络报文，步骤：

Step1：从微软网站上下载Network Monitor(确认选取目标机器对应平台的安装包)，并安装(使用默认选项即可)，提前安装到系统里
http://www.microsoft.com/en-us/download/details.aspx?id=4865 （目前最新版是3.4）
https://download.microsoft.com/download/7/1/0/7105C7FF-768E-4472-AFD5-F29108D1E383/NM34_x64.exe 


Step2：以管理员运行cmd窗口，并且输入以下命令
nmcap.exe /Network * /useprofile 3 /Capture /File c:network.cap:1024M
nmcap.exe的路径：C:Program FilesMicrosoft Network Monitor 3nmcap.exe，如果不能直接执行nmcap.exe，建议添加环境变量C:Program FilesMicrosoft Network Monitor 3

Step3：访问资源管理器复现hang死的问题（我的电脑/计算机、文件管理器、网络挂盘的盘符等凡是能触发访问资源管理器的都行）

Step4：回到刚刚的命令行界面按CTRL C停止网络报文收集，压缩c:network.cap成为.7z格式，c:network.cap.7z就是排查问题需要的抓包

另外，也需要把这个wget.exe文件放到C:Windows目录
$client = new-object System.Net.WebClient
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/wget64.exe',' c:windowswget.exe')

用法：
wget.exe url -O c:mubiao.xxx
区别于powershell的wget，powershell的wget实际是这个命令的简写invoke-webrequest
因为出现问题的时候powershell用不了，所以得准备一个cmd命令能用的下载工具，就是wget.exe

五、微软的windows performance toolkit (WPT=WPR WPA=Recorder Analyzer) 

Win10出来后，WPT兼容Win8/2012后的系统，不再兼容Win7/2008R2

1、Win7/2008R2要用WPT，只能用Windows 8.1 SDK

2、Win10版（≥win10 2004）的winsdksetup.exe和adksetup.exe不适用2008R2和2012R2系统。
使用winsdksetup.exe和adksetup.exe（＜win10 2004的）都能在≥2012R2系统上安装Windows Performance Toolkit（含wpr.exe命令）。
2008R2或Win7只能使用Windows 8.1 SDK，云服务器上WPT（wpr和wpa）跟实体物理机上的表现可能会有差异。

3、需要特别强调的是，win8.1/2012R2不要使用适用Win10/Win11的ADK和SDK
我在2012R2上用[ADK for Windows 10 版本 2004]安装WPT后，执行WPR会报错，Windows8.1/2012R2的WPT最好用下面的
老版Windows 8.1 SDK如下
https://developer.microsoft.com/zh-cn/windows/downloads/sdk-archive/
https://go.microsoft.com/fwlink/p/?LinkId=323507
https://download.microsoft.com/download/B/0/C/B0C80BA3-8AD6-4958-810B-6882485230B5/standalonesdk/sdksetup.exe

4、如果安装windows performance toolkit (WPT=WPR WPA=Recorder Analyzer) 报错无法定位程序输入点，参考我这篇文档
https://cloud.tencent.com/developer/article/2059673

六、虚拟化驱动安装文件
腾讯云定制版VirtIO下载地址如下，请对应实际网络环境下载
公网下载地址：
http://mirrors.tencent.com/install/windows/virtio_64_1.0.9.exe
内网下载地址：
http://mirrors.tencentyun.com/install/windows/virtio_64_1.0.9.exe

阿里云VirtIO跟腾讯云不兼容，如果迁移到腾讯云，需要在winpe中用dism命令先删掉阿里云的驱动再安装腾讯云的驱动。

安装cloudbase-init

代码语言：javascript复制

powershell自动化重装 cloudbase-init 为1.1.2版本
https://cloud.tencent.com/developer/article/1940021
需要提醒的是：
域业务需要删掉cloudbase-init配置文件里的hostname模块（C:Program FilesCloudbase SolutionsCloudbase-Initconfcloudbase-init.conf中的cloudbaseinit.plugins.common.sethostname.SetHostNamePlugin,）
否则，一些特殊情况可能导致域业务异常，因为域业务跟hostname相关，如果cloudbase-init存在hostname模块，会导致hostname改变，从而影响域业务

关闭鼠标电源模式，不然可能偶现vnc卡死的问题

代码语言：javascript复制

$HubID = (Get-WmiObject Win32_USBHub).PNPDeviceID
$PowerMgmt = Get-WmiObject MSPower_DeviceEnable -Namespace rootwmi | Where {$_.InstanceName -like "*$HubID*"}
$PowerMgmt.Enable = $False
$PowerMgmt.psbase.Put()

NMI dump支持

代码语言：javascript复制

reg add "HKLMSYSTEMCurrentControlSetControlCrashControl" /v NMICrashDump /t REG_DWORD /d 1 /f

避免磁盘乱序

打开注册表编辑器regedit.exe, 定位到路径: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesviostor ,然后在右侧窗口找到tag键, 修改其值为 1 , 再重启系统

代码语言：javascript复制

reg add "HKLMSYSTEMCurrentControlSetServicesviostor" /v Tag /t REG_DWORD /d 1 /f

更新虚拟化驱动

如果是更新驱动，请先执行clear_virtio_driver.bat卸载旧版本，然后重新安装viostor和netkvm驱动

以下内容另存为clear_virtio_driver.bat 执行是卸载，更新虚拟化驱动参考https://cloud.tencent.com/developer/article/1927302

代码语言：javascript复制

for /r "C:WindowsINF" %%a in (oem*.inf) do (
REM     findstr /I "balloon.sys" "%%a" >nul && echo %%~na%%~xa && pnputil -f -d %%~na%%~xa
        findstr /I "netkvm.sys" "%%a" >nul && echo %%~na%%~xa && pnputil -f -d %%~na%%~xa
        findstr /I "viostor.sys"  "%%a" >nul && echo %%~na%%~xa && pnputil -f -d %%~na%%~xa
)

修正cloudbase-init配置文件

代码语言：javascript复制

$client = new-object System.Net.WebClient
#$client.DownloadFile('http://windowsgz-1251783334.cos.ap-guangzhou.myzijiebao.com/ziyan/Cloudbase-Init.zip','C:Cloudbase-Init.zip')
$client.DownloadFile('http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/Cloudbase-Init.zip','C:Cloudbase-Init.zip')

#wget "http://windowsgz-1251783334.cos.ap-guangzhou.myzijiebao.com/ziyan/ec2service.py" -Outfile "C:Program FilesCloudbase SolutionsCloudbase-InitPythonLibsite-packagescloudbaseinitmetadataservicesec2service.py"
#wget "http://windows-1251783334.cos.ap-shanghai.myzijiebao.com/ec2service.py" -Outfile "C:Program FilesCloudbase SolutionsCloudbase-InitPythonLibsite-packagescloudbaseinitmetadataservicesec2service.py"

$7zPath = "$env:ProgramFiles7-Zip7z.exe"
if (-not (Test-Path -Path $7zPath)) {
$client7 = new-object System.Net.WebClient
$client7.DownloadFile('http://windowsgz-1251783334.cos.ap-guangzhou.myzijiebao.com/ziyan/7z2200-x64.msi','c:7z2200-x64.msi')

msiexec.exe /i c:7z2200-x64.msi /qn
Start-Sleep 30
del c:7z2200-x64.msi 2>$null
}

& "$env:ProgramFiles7-Zip7z.exe" x -aoa C:Cloudbase-Init.zip -o"C:Program FilesCloudbase SolutionsCloudbase-Init"

NPSMSvc_xxxxxx、McpManagementService、WaaSMedicSvc <读取描述失败。错误代码: 15100 或 2>

修正McpManagementService服务description显示异常

代码语言：javascript复制

sc.exe config McpManagementService DisplayName= "Universal Print Management Service" 2>&1 > $null
sc.exe description McpManagementService "Universal Print Management Service" 2>&1 > $null

修正NPSMSvc_xxxxxx服务description显示异常

代码语言：javascript复制

if((Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion").ProductName -match "Windows 8.1|Windows 10|Windows 11"){
$NPSMSvc_xxxxxx=get-service NPSMSvc_*
if($NPSMSvc_xxxxxx -ne $null){
stop-service $NPSMSvc_xxxxxx -ErrorAction SilentlyContinue
}
stop-service NPSMSvc 2>&1 > $null
sc.exe delete NPSMSvc  2>&1 > $null
sc.exe delete $NPSMSvc_xxxxxx 2>&1 > $null
}

修正WaaSMedicSvc服务description显示异常

代码语言：javascript复制

sc.exe qc WaaSMedicSvc
sc.exe query WaaSMedicSvc

#提醒下面这2句，需要提取到TrustedInstaller执行（提权参考https://cloud.tencent.com/developer/article/2285183 ）
#sc.exe config WaaSMedicSvc DisplayName= "Windows Update Medic Service"
#sc.exe config WaaSMedicSvc DisplayName= "WaaSMedicSvc"
sc.exe description WaaSMedicSvc "Enables remediation and protection of Windows Update components."

sc.exe qc WaaSMedicSvc
sc.exe query WaaSMedicSvc

安装虚拟声卡软件

代码语言：javascript复制

https://vb-audio.com/Cable/
https://www.e2esoft.cn/vsc/
https://vac.muzychenko.net/en/download.htm

禁用触摸板服务、SSDP Discovery服务

代码语言：javascript复制

Stop-Service SSDPSRV 2>&1 > $null
Stop-Service TabletInputService 2>&1 > $null

Set-Service SSDPSRV -StartupType Disabled 2>&1 > $null
Set-Service TabletInputService -StartupType Disabled 2>&1 > $null

设置打印服务开机启动

代码语言：javascript复制

Set-Service -Name Spooler -StartupType Automatic

用imdisk创建内存盘存放缓存文件提高访问速度

凭据不工作临时解决办法

代码语言：javascript复制

REG ADD "HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services" /v SecurityLayer /t REG_DWORD /d 0 /f
REG ADD "HKLMSYSTEMCurrentControlSetcontrolTerminal ServerWinstationsRDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
REG ADD "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRdp-tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

配置自动登录

代码语言：javascript复制

reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultUserName" /d "Administrator" /t REG_SZ /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "DefaultPassword" /d "你自己的密码" /t REG_SZ /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" /v "AutoAdminLogon" /d "1" /t REG_SZ /f

禁止onedrive、edge浏览器、chrome浏览器相关计划任务

代码语言：javascript复制

Get-ScheduledTask | Where-Object { $_.TaskName -like "OneDrive*"}| Disable-ScheduledTask 2>$null

Get-Service MicrosoftEdge*, edgeupdate*|ft -auto
Get-Service GoogleChrome*, gupdate* | ft -auto
Get-Service MicrosoftEdge*, edgeupdate* | Set-Service -StartupType Disabled
Get-Service GoogleChrome*, gupdate* | Set-Service -StartupType Disabled
Get-ScheduledTask | Where-Object { $_.TaskName -like "MicrosoftEdgeUpdateTaskMachine*"} | Disable-ScheduledTask 2>&1 >$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "GoogleUpdateTaskMachine*"} | Disable-ScheduledTask 2>$null

禁止或卸载可能影响渲染的系统服务和计划任务

代码语言：javascript复制

以下都是powershell，管理员身份

一、禁止或卸载Microsoft Defender/Endpoint Protection
禁止还是卸载，看你自己
#禁止命令
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderMiscellaneous Configuration" /v "PreventPlatformUpdate" /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "FallbackOrder" /d "FileShares" /t REG_SZ /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows DefenderSignature Updates" /v "ForceUpdateFromMU" /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f

#卸载命令：
预览卸载Uninstall-WindowsFeature -Name Windows-Defender -WhatIf
真正卸载Uninstall-WindowsFeature -Name Windows-Defender
最后的那个-WhatIf参数是什么作用
在 PowerShell 中，-WhatIf 参数用于预览命令的结果，而不实际执行命令。当您使用 -WhatIf 参数运行命令时，PowerShell 会告诉您命令将执行哪些操作，但不会实际执行这些操作。这对于在执行潜在危险或破坏性操作之前检查命令的影响非常有用。


二、禁止可能影响渲染的计划任务
reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleMaintenance" /v "MaintenanceDisabled" /t REG_DWORD /d 1 /f
Get-ScheduledTask -TaskPath "MicrosoftWindowsPower Efficiency Diagnostics","MicrosoftWindowsApplicationData","MicrosoftWindowsCustomer Experience Improvement Program","MicrosoftWindowsCloudExperienceHost","MicrosoftWindowsDiskFootprint","MicrosoftWindowsStateRepository","MicrosoftWindowsApplication Experience","MicrosoftWindowsDiskDiagnostic","MicrosoftWindowsMemoryDiagnostic","MicrosoftWindowsWDI","MicrosoftWindowsUpdateOrchestrator","MicrosoftWindowsDiagnosis","MicrosoftWindowsNetwork Controller","MicrosoftWindowsPI","MicrosoftWindowsDiskCleanup","MicrosoftWindowsTPM","MicrosoftWindowsWindows Defender","MicrosoftWindowsMaintenance" 2>$null | Disable-ScheduledTask 2>$null | ft -auto

Get-ScheduledTask | Where-Object { $_.TaskName -like "OneDrive*"}| Disable-ScheduledTask 2>$null

Get-Service MicrosoftEdge*, edgeupdate*|ft -auto
Get-Service GoogleChrome*, gupdate* | ft -auto
Get-Service MicrosoftEdge*, edgeupdate* | Set-Service -StartupType Disabled
Get-Service GoogleChrome*, gupdate* | Set-Service -StartupType Disabled
Get-ScheduledTask | Where-Object { $_.TaskName -like "MicrosoftEdgeUpdateTaskMachine*"} | Disable-ScheduledTask 2>&1 >$null
Get-ScheduledTask | Where-Object { $_.TaskName -like "GoogleUpdateTaskMachine*"} | Disable-ScheduledTask 2>$null

windowsserver 云服务器 windows

0 人点赞