Category Archives: Microsoft

Microsoft, OutLook

Outlook AutoArchive Setup Guide

Leave a comment

Outlook AutoArchive Setup Guide

When cloud mailboxes hit quota limits, Outlook’s AutoArchive feature can automatically move older emails from the server into a local PST file. This reduces hosting usage and keeps history safe on the user’s computer.

Step 1 – Open AutoArchive Settings

# In Outlook
File → Options → Advanced
AutoArchive Settings…

Step 2 – Configure AutoArchive

# Recommended Settings
Run AutoArchive every: 14 days
Archive items older than: 90 days
Move old items to: Archive.pst (local drive)

Step 3 – Manual Archive (if interrupted)

If Outlook was closed or the PC shut down during archiving, you can rerun it manually:

# Manual Archive
File → Tools → Clean Up Old Items
Select folders → Archive items older than: 90 days
Choose Archive.pst

Step 4 – Verify Archive

After archiving, open Archive.pst in Outlook (File → Open → Outlook Data File) and confirm emails are present before deleting from the server.

Notes

  • AutoArchive moves emails off the server, freeing quota immediately.
  • POP3 accounts already store mail locally in PST — no archiving needed.
  • IMAP accounts require archiving/export to reduce server usage.
  • For suspended accounts, request a 24h unsuspend window to run archiving.
මෙම මාර්ගෝපදේශය සිංහලෙන් කියවීමට මෙතැන ක්ලික් කරන්න

Outlook AutoArchive සැකසුම් මාර්ගෝපදේශය (සිංහලෙන්)

Cloud තැපැල් පෙට්ටිවල (mailboxes) ධාරිතාව සීමාවට ළඟා වූ විට, Outlook හි AutoArchive විශේෂාංගය මගින් පැරණි ඊමේල් ස්වයංක්‍රීයව සේවාදායකයෙන් (server) ඉවත් කර දේශීය PST ගොනුවකට ගෙන යා හැක. මෙය සේවාදායකයේ ඉඩ ප්‍රමාණය අඩු කර ගැනීමට සහ ඔබේ පරිගණකයේම දත්ත සුරක්ෂිතව තබා ගැනීමට උපකාරී වේ.

පියවර 1 – AutoArchive සැකසුම් විවෘත කරන්න

Outlook තුළ:

File → Options → Advanced → AutoArchive Settings…

පියවර 2 – AutoArchive වින්‍යාස කරන්න

නිර්දේශිත සැකසුම්:

Run AutoArchive every: 14 days
Archive items older than: 90 days
Move old items to: Archive.pst (දේශීය ධාවකය)

පියවර 3 – Manual Archive (if interrupted)

පරිගණකය ක්‍රියා විරහිත වීම වැනි හේතුවක් නිසා Archive වීම අතරමග නතර වුවහොත්, ඔබට එය නැවත අතින් සිදු කළ හැක:

File → Tools → Clean Up Old Items
Select folders → Archive items older than: 90 days
Choose Archive.pst

පියවර 4 – Archive එක පරීක්ෂා කරන්න

Archive කිරීමෙන් පසු, Outlook හි Archive.pst ගොනුව විවෘත කර (File → Open → Outlook Data File), ඊමේල් සියල්ල එහි ඇති බව තහවුරු කරගන්න. ඉන්පසුව ඔබට සේවාදායකයෙන් ඒවා මැකීමට හැකිය.

වැදගත් කරුණු

  • AutoArchive මගින් ඊමේල් සේවාදායකයෙන් ඉවත් කරන බැවින් ක්ෂණිකව ඉඩ නිදහස් වේ.
  • POP3 ගිණුම් දැනටමත් PST ගොනුවක දත්ත තබා ගන්නා නිසා ඒවාට Archive කිරීම අවශ්‍ය නොවේ.
  • IMAP ගිණුම් සඳහා සේවාදායකයේ ඉඩ අඩු කර ගැනීමට Archive කිරීම හෝ අපනයනය කිරීම (export) අවශ්‍ය වේ.
  • ගිණුමක් තාවකාලිකව අත්හිටුවා ඇත්නම්, Archive කිරීමට පැය 24ක කාලයක් ඉල්ලා සිටින්න.
Bitlocker, Microsoft, Windows

Microsoft Under Fire: How to Protect Your PC from the ‘YellowKey’ BitLocker Bypass

Leave a comment

The cybersecurity world is currently in absolute chaos. A security researcher known as “Nightmare Eclipse” has publicly leaked six critical, zero-day vulnerabilities affecting Windows Defender and BitLocker. Frustrated by Microsoft’s handling of their initial bug bounty reports, the researcher decided to drop the source code directly onto GitHub and GitLab before Microsoft could issue official patches.

Among these leaks, the most alarming vulnerability for everyday users is CVE-2026-45585, dubbed “YellowKey.” This flaw allows attackers with physical access to bypass BitLocker disk encryption entirely and gain full administrative control over your drive via the Windows Recovery Environment (WinRE).

What is the ‘YellowKey’ BitLocker Flaw?

Normally, BitLocker uses your motherboard’s TPM (Trusted Platform Module) chip to automatically release the encryption keys and boot seamlessly into Windows. However, the YellowKey exploit manipulates NTFS logs and a Windows system file called autofstx.exe during the boot phase inside WinRE.

By executing this flaw, an attacker who physically steals your laptop or accesses it while you are away can force-open an elevated Command Prompt (CMD) before Windows even loads. From there, your encrypted files are completely exposed.

The Good News: This is a physical-only exploit. Remote hackers cannot attack your PC over the internet using this flaw. Furthermore, Microsoft explicitly stated that if you are using a TPM + Startup PIN, this vulnerability is completely unexploitable!

Step-by-Step Guide: How to Enable a BitLocker Startup PIN

If your OS drive (C:) is already encrypted with BitLocker, you don’t need to decrypt or reinstall anything. You can add a Startup PIN on top of your existing setup using these simple steps:

Step 1: Enable Startup PIN in Windows Group Policy

By default, Windows won’t allow you to set a PIN alongside a TPM. We must enable it via the Local Group Policy Editor first:

  1. Press Win + R, type gpedit.msc, and hit Enter.
  2. Navigate to the following folder path on the left panel:
    Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives
  3. On the right-side list, find and double-click on “Require additional authentication at startup”.
  4. Switch the toggle at the top to Enabled.
  5. Under the Options box below, locate “Configure TPM startup PIN:” and change it to “Require startup PIN with TPM”.
  6. Click Apply and then OK. You can now close the Group Policy window.

Step 2: Add the PIN via Command Prompt

Now, we will officially assign your unique Startup PIN using an elevated Command Prompt:

  1. Search for cmd in your Start Menu, right-click on it, and select “Run as administrator”.
  2. Copy and paste the following command into CMD and press Enter: 
    manage-bde -protectors -add c: -TPMAndPIN
  3. The terminal will prompt you: Type the PIN to use to protect the volume:. Type a secure PIN (minimum 4-6 digits/characters). (Note: For security reasons, the characters will not appear on the screen as you type, so type carefully!)
  4. Press Enter, and confirm the PIN by typing it again when prompted.

If successful, you will see a message stating Key Protectors Added: TPM And PIN.

Step 3: Verify Your New Security Status

To double-check if your system is now fully armored against the YellowKey bypass, run this command in your admin CMD:

manage-bde -status c:

Look under the “Key Protectors” section at the bottom. You should see both Numerical Password (your original recovery key) and TPM And PIN listed clearly.

The next time you reboot your computer, a blue or black BitLocker screen will appear demanding your PIN before Windows even displays its logo. Even if someone physically strips your SSD out or manipulates the recovery environment, they are officially locked out!

Conclusion

While Microsoft is currently rushing to build official patches to address this drama before the researcher drops another “bombshell” update, taking matters into your own hands is the ultimate way to stay secure. Enable your Startup PIN today, keep your Windows Updates turned on, and rest easy knowing your data is untouchable.

Microsoft, Microsoft Windows

Kapothi Wi‑Fi Ritual: Backup & Restore Your Wireless Keys

Leave a comment

අපේ Kapothi ගැටලුවක්: Windows reinstall or new PC එකක් ගන්නකොට Wi‑Fi password එක මතක නැතිව offline වෙලා යන එක. මේකේ solution එක තමයි Wi‑Fi profiles backup & restore ritual එක.

Kapothi Note 🪶:
Before running the backup command, create a folder where you want to save your Wi‑Fi profiles — for example, C:\WiFiBackup.

⚠️ If you created the backup folder on your C drive, make sure to copy that folder to another drive or external storage before formatting or restoring your computer. Otherwise, your Wi‑Fi backups will be lost during the reinstall.
Kapothi Command Box — Backup
# Step 1: Run CMD as Administrator
→ Win+R → cmd → Ctrl+Shift+Enter

# Step 2: Export all Wi-Fi profiles with passwords
netsh wlan export profile folder=C:\WiFiBackup key=clear

# Output:
→ XML files saved in C:\WiFiBackup
→ Each file contains SSID + password
Kapothi Command Box — Restore
# Step 1: Copy XML files to target PC
→ Example: C:\WiFiBackup

# Step 2: Import profile back
netsh wlan add profile filename="C:\WiFiBackup\ProfileName.xml"

# Result:
→ Wi-Fi network restored with original password

Notes

  • netsh wlan show profiles → Lists saved SSIDs.
  • netsh wlan export profile → Dumps all profiles into XML.
  • netsh wlan add profile → Restores them on another PC.
  • Handle XML files carefully — they contain plain text passwords.
Microsoft, Microsoft Windows

HWID Activation in Windows 10/11 – The Digital License That Never Expires

Leave a comment

🔑 HWID Activation in Microsoft

HWID (Hardware ID) Activation is a Microsoft digital license method that permanently activates Windows 10/11 by tying the activation to your device’s hardware profile. Once activated, the license is stored online and automatically reapplied after reinstallations, as long as the hardware remains the same.

🔎 What HWID Activation Means

  • HWID = Hardware ID → A unique fingerprint of your PC’s hardware (CPU, motherboard, etc.) is generated and registered with Microsoft’s activation servers.
  • Digital License → Instead of a product key, Windows uses this hardware fingerprint to grant a permanent license.
  • Persistence → If you reinstall Windows 10/11 on the same machine, it will auto‑activate again once connected to the internet.
  • Scope → Works for Windows 10/11 Home, Pro, Education, Enterprise editions. Not supported for Windows Server or older versions like Windows 7/8.1.

⚡ Key Characteristics

  • Permanent Activation: No expiry, unlike KMS (180 days).
  • Internet Required: At least once, to register the hardware fingerprint with Microsoft.
  • No Product Key Needed: After initial activation, reinstallations don’t require re‑entering a key.
  • Device‑Bound: Major hardware changes (like motherboard replacement) may invalidate the HWID license.

🧩 Comparison with Other Activation Methods

Method Products Supported Duration Internet Needed Notes
HWID Windows 10/11 Permanent Yes Digital license tied to hardware
KMS (Online) Windows/Office 180 days Yes Needs renewal task
Ohook Office Permanent No For Office products
TSforge Windows/Office/ESU Permanent Yes (new builds) Used for extended security updates

⚠️ Risks & Considerations

  • Legitimacy: HWID activation is official, but many third‑party “HWID activators” exploit it. These are not authorized by Microsoft and may violate licensing terms.
  • Security: Downloading activators from unverified sources can expose you to malware.
  • Hardware Changes: Major upgrades (motherboard replacement) may invalidate the HWID license.

✅ Practical Takeaway

HWID activation is Microsoft’s way of giving you a lifetime digital license for Windows 10/11 tied to your hardware. If you’re using genuine Windows, you don’t need to worry about product keys after the first activation. If you’re considering third‑party activators, be cautious — they replicate Microsoft’s HWID process but are unofficial and carry risks.

Microsoft, Microsoft Windows

How to Fix Your Windows Date and Time Settings

Leave a comment
How to Fix Your Windows Date and Time Settings

🕒 How to Fix Your Windows Date and Time Settings

If your computer clock is wrong, it can cause issues with your internet connection and apps. Use these simple commands and shortcuts to get back on track.

✅ The Quickest Shortcut

# Open Date & Time settings instantly
timedate.cpl

💡 How to use: Press Windows Key + R on your keyboard, type the command above, and hit Enter. It opens the classic Date and Time window immediately.

✅ Using the Command Prompt (CMD)

If you prefer using the Command Prompt to manage your time zones, use the tzutil tool. It is fast and very reliable.

# List every available time zone in the world
tzutil /l

# Check which time zone your PC is currently using
tzutil /g

# Change your time zone (Example: Sri Lanka)
tzutil /s "Sri Lanka Standard Time"

💡 Quick Guide:
/l → Shows you a list of all names.
/g → Shows your current setting.
/s → Sets a new time zone (make sure to use “quotes” around the name).

✅ Easy Navigation Paths

  • The Fast Way: Press Win + R → type timedate.cpl.
  • The Modern Way: Go to SettingsTime & LanguageDate & Time.
  • The Expert Way: Open Command Prompt → type tzutil.

💡 Pro Tip

Most time issues happen because “Set time automatically” is turned off. If your clock is constantly wrong, open your settings and ensure that toggle is switched to ON so Windows can sync with the internet.

✅ Stop Automatic Time Zone Changes

If your PC keeps switching to the wrong time zone, you can disable the automatic adjustment.

# Turn off automatic time zone
1. Press Win + I to open Settings
2. Go to Time & Language → Date & Time
3. Find "Set time zone automatically"
4. Switch it OFF
5. Manually select your correct time zone

💡 Pro Tip: If the time zone still changes, check that Location Services are disabled, since Windows uses your location to adjust time zones.

Microsoft, PowerShell

Kapothi System Hygiene Checklist

Leave a comment
Kapothi System Hygiene Checklist

🧹 Kapothi System Hygiene Checklist

This guide shows how to detect and remove impostor executables like the fake Windows Driver Foundation (WDF.exe), while also cleaning up unwanted startup entries to save RAM and CPU usage.

🔍 Detect Suspicious Files

Look for oversized or unsigned executables in C:\Windows\. Example: Windows Driver Foundation (WDF).exe (fake, 672 MB).

📋 Export Services & Tasks


  # Export all services with paths
  Get-CimInstance Win32_Service |
  Select-Object Name, DisplayName, StartMode, PathName |
  Out-File C:\services_with_paths.txt

🛠️ Alternative: Export to CSV

Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, StartMode, PathName |
Export-Csv C:\services_with_paths.csv -NoTypeInformation

This produces a clean spreadsheet‑friendly file with all service details, perfect for filtering and analysis.

⚠️ Quick PowerShell Filter

Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, StartMode, PathName |
Where-Object { $_.PathName -and $_.PathName -notlike "C:\Windows\System32\*" } |
Export-Csv C:\suspicious_services.csv -NoTypeInformation

This highlights only services whose executables are outside the standard C:\Windows\System32\ directory, helping you spot anomalies quickly.


  # Export all scheduled tasks with full paths
  Get-ScheduledTask | ForEach-Object {
      foreach ($action in $_.Actions) {
          [PSCustomObject]@{
              TaskName   = $_.TaskName
              Path       = $_.TaskPath
              Execute    = $action.Execute
              Arguments  = $action.Arguments
          }
      }
  } | Out-File C:\tasks_with_full_paths.txt -Width 4096

🕵️ Process Explorer

Process Explorer is part of Microsoft’s Sysinternals Suite. It shows detailed information about running processes, including parent processes, command lines, and loaded DLLs. Download it from Microsoft Sysinternals.

Use it to trace suspicious executables:

  • Right‑click the process → Properties
  • Check Parent process to see who launched it
  • Check Command line for hidden scripts
  • Use DLLs tab to inspect loaded modules

🗝️ Registry Check


  # Winlogon Shell should only be explorer.exe
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  Shell = explorer.exe

📑 Autoruns

Autoruns is another Sysinternals tool that shows every program configured to run at startup. It covers Logon, Services, Scheduled Tasks, Drivers, and more. Download it from Microsoft Sysinternals.

Check these tabs carefully:

  • Logon — suspicious scripts/executables
  • Scheduled Tasks — hidden triggers
  • Services — verify only legitimate system services
  • Image Hijacks — ensure no debugger hijacks
  • Winlogon — confirm Shell is only explorer.exe

🧹 Cleanup Ritual

  • Restore registry values to defaults (explorer.exe)
  • Disable/remove unwanted Autoruns entries
  • Delete malicious files (WDF.exe, wtime.cmd, wudf.exe)
  • Reboot and confirm clean startup
  • Run full malware scans (Windows Defender, Malwarebytes)

⚡ Benefits

  • Freed up RAM 💾
  • Reduced CPU usage ⚡
  • Faster startup 🚀
  • Cleaner shrine‑home 🕊️

🕯️ Kapothi Insight

Every impostor exe is a hidden chant. Trace the scroll, silence the ritual, and the shrine runs serene.
Microsoft, PowerShell

Hunting Down a Fake Windows Driver Foundation (WDF.exe)

Leave a comment
Hunting Down a Fake Windows Driver Foundation (WDF.exe)

🕵️‍♂️ How We Tracked Down a Fake Windows Driver Foundation (WDF.exe)

Malware often hides in plain sight, pretending to be legitimate system files. One such case is the fake Windows Driver Foundation (WDF.exe). Here’s how we detected, traced, and removed it using free tools like Autoruns, PowerShell, and Process Explorer.

Step 1: Spotting the Suspicious File

C:\Windows\Windows Driver Foundation (WDF).exe

A massive 672 MB executable with no signature or version info. Clearly not a legitimate Microsoft file.

Step 2: Autoruns & PowerShell Checks

We exported all services and tasks to confirm no hidden startup entries.

Get-CimInstance Win32_Service | 
Select-Object Name, DisplayName, StartMode, PathName | 
Out-File C:\services_with_paths.txt
Get-ScheduledTask | ForEach-Object {
    foreach ($action in $_.Actions) {
        [PSCustomObject]@{
            TaskName   = $_.TaskName
            Path       = $_.TaskPath
            Execute    = $action.Execute
            Arguments  = $action.Arguments
        }
    }
} | Out-File C:\tasks_with_full_paths.txt -Width 4096

No service or task pointed to WDF.exe. Suspicious.

Step 3: Process Explorer Trail

Process Explorer revealed WDF.exe was spawned by cmd.exe running a script:

C:\Windows\System32\cmd.exe /c "C:\Windows\wtime.cmd"
@echo off
timeout /t 30
cd %windir%
%tmpd%"%windir%\Windows Driver Foundation (WDF).exe"

Step 4: Registry Hijack Discovery

The Winlogon Shell value was hijacked to run the malicious script:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe,wudf.exe wtime.cmd

Normally, Shell should be only:

explorer.exe

Step 5: Cleanup

  • Restored Shell value to explorer.exe
  • Deleted malicious files:
    • C:\Windows\Windows Driver Foundation (WDF).exe
    • C:\Windows\wtime.cmd
    • C:\Windows\wudf.exe
  • Rebooted — malware no longer launched
  • Ran full malware scans for confirmation

Lessons Learned

  • Malware can hijack Winlogon Shell instead of services or tasks
  • Exporting services and tasks with PowerShell helps confirm legitimacy
  • Process Explorer is invaluable for tracing parent processes
  • Always check registry keys for hidden startup hijacks

Conclusion

This detective work shows how persistence and free tools can uncover even the most hidden startup hijacks. By documenting the trail — from Autoruns to PowerShell exports, Process Explorer analysis, and registry inspection — we created a repeatable method for others to follow. Use this guide to protect your PC from impostor files like fake WDF.exe.

Microsoft, Microsoft Windows

Windows Activation — Error Codes and Remedies

Leave a comment

Troubleshooting Windows Activation Errors: Codes and Fixes

📜 Windows Activation Rituals — Error Codes and Remedies

A complete guide to Windows activation error codes, meanings, and fixes. Learn how to resolve common issues like 0x80072EE2, 0xC004F074, and more. Keywords: Windows activation error codes, Windows Server activation, slmgr.vbs, KMS errors, Microsoft activation troubleshooting

Activation is the ritual that binds your Windows Server or client to Microsoft’s trust shrine. When it fails, cryptic error codes appear. This scroll documents the most common activation errors, their meanings, and the remedies to restore trust.

Common error codes and fixes

Code Meaning Fix ritual
0x80072EE2 Timeout contacting activation server Verify internet, DNS, firewall; retry activation
0xC004C003 Product key blocked Use valid key, contact Microsoft support
0xC004F074 KMS server not reachable Check KMS DNS records, firewall, ensure KMS host is online
0xC004C008 Key already used elsewhere Transfer license or obtain new key
0xC004C020 Multiple activations detected Contact Microsoft support for resolution
0xC004F050 Invalid product key Re‑enter correct key for edition
0x8007007B DNS name not available Correct KMS DNS entry or use MAK key
0xC004E003 Licensing service failure Reinstall license files; run slmgr.vbs /rilc
0xC004F038 KMS count not met Ensure minimum 25 clients (or 5 servers) for KMS activation
0xC004F00F Hardware ID changed Reactivate with original key or contact support

Stylized command windows

Windows Script Host — Status
PS C:\> slmgr.vbs /dlv

Tip: Press Win + R, type cmd, then run the command.
Windows Script Host — Expiry
PS C:\> slmgr.vbs /xpr

Shows permanent/expiry status of the current activation.
Windows Script Host — Activate
PS C:\> slmgr.vbs /ato

If you see 0x80072EE2, verify internet connectivity, DNS, and firewall before retrying.
Windows Activation — Error Details
Run: slui.exe 0x2a 0x80072EE2
Displays detailed text for the activation error in a GUI dialog.

Troubleshooting ritual notes

  • Connectivity: Ensure the server has internet access and can resolve activation.sls.microsoft.com.
  • DNS: Use nslookup to confirm resolution; fix any proxy or DNS issues.
  • Firewall: Temporarily allow outbound traffic to test; then add permanent rules as needed.
  • Edition and key: Verify your product key matches the installed edition (e.g., Server Standard vs Datacenter).
  • KMS specifics: Confirm KMS host availability, DNS SRV records, and minimum client count.

Closing: Each error code is a ritual reminder: activation depends on connectivity, valid keys, and trust. By documenting these codes, we build a communal scroll that helps every administrator resolve activation failures quickly and confidently.

Microsoft, Other, SQL Express, Windows 11

SQL Express on Windows 11 — Connection Limits Explained

Leave a comment

SQL Express on Windows 11 — Connection Limits Explained

Windows 11 is widely used for development and small-scale hosting. When installing SQL Server Express, it’s important to understand which limits apply to the operating system and which are specific to SQL Express itself.

Connection limits in Windows 11

  • File sharing (SMB): Limited to 20 concurrent inbound connections.
  • Remote Desktop (RDP): Only 1 interactive session at a time.
  • SQL Server Express via TCP (port 1433): No operating system limit. Multiple users can connect, subject to hardware resources.

SQL Server Express resource limits

  • Database size: 10 GB per database.
  • Memory usage: 1 GB RAM per instance.
  • CPU usage: 1 socket, up to 4 cores.
  • Connections: No hard cap; performance depends on the above limits.

Windows 11 vs Windows Server — Connection limits

Feature / Limit Windows 11 (Client OS) Windows Server (Server OS)
File sharing (SMB) Max 20 concurrent inbound connections Thousands of concurrent connections supported
Remote Desktop (RDP) 1 interactive session at a time Multiple concurrent sessions (with RDS licensing)
SQL Server Express (TCP) No OS-imposed limit; resource-bound only No OS-imposed limit; resource-bound only
Database size (Express) 10 GB per database 10 GB per database (same Express cap)
Memory (Express) 1 GB RAM per instance 1 GB RAM per instance (same Express cap)
CPU (Express) 1 socket, up to 4 cores 1 socket, up to 4 cores (same Express cap)
Scalability Suitable for small apps, dev/test Suitable for production workloads, large user bases

Best use cases

  • Windows 11 + SQL Express: Ideal for developers, testing environments, small business apps, or limited multi-user scenarios.
  • Windows Server + SQL Server (Express/Standard/Enterprise): Recommended for production workloads, larger user bases, multiple RDP sessions, or when SMB connections exceed 20.

Download and install SQL Server Express 2022 on Windows 11

Option A: Quick GUI install (official installer)

  1. Download: Visit the official Microsoft SQL Server Express download page and get SQL Server 2022 Express.
  2. Run the installer: Choose “Basic” for a fast setup or “Custom” to select features and installation path.
  3. Finish: Note the instance name (default: SQLEXPRESS), and confirm SQL Server Browser service if you plan remote connections.

Option B: Command line install (silent)

Use a silent unattended install for repeatable setups and documentation.

# 1) Download the SQL Server 2022 Express setup bootstrapper
$uri = "https://go.microsoft.com/fwlink/?linkid=2203201"  # SQL 2022 Express bootstrapper (evergreen link)
$setup = "$env:TEMP\SQLEXPRESS2022.exe"
Invoke-WebRequest -Uri $uri -OutFile $setup

# 2) Run a silent install of Database Engine only
& $setup /QS /ACTION=Install /FEATURES=SQLEngine /INSTANCENAME=SQLEXPRESS `
  /IACCEPTSQLSERVERLICENSETERMS `
  /SECURITYMODE=SQL /SAPWD="Strong!Passw0rd" `
  /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" `
  /UPDATEENABLED=TRUE

# Notes:
# - Change SAPWD to your strong password if enabling Mixed Mode (SQL logins).
# - /QS = quiet simple UI; use /Q for fully silent.

Enable remote TCP connections (optional)

  1. Open SQL Server Configuration Manager: Enable TCP/IP under “SQL Server Network Configuration” for your instance.
  2. Firewall rule: Allow inbound TCP on port 1433 (or your chosen port). 
    New-NetFirewallRule -DisplayName "SQL Server 1433" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow
  3. Restart services: Restart the SQL Server (SQLEXPRESS) service after changes.

SQL Server Management Studio (SSMS)

  • Download SSMS: Install SSMS to manage databases, users, and queries.
  • Connect: Use localhost\SQLEXPRESS or machine-name\SQLEXPRESS. For remote clients, use IP:1433 if a custom port is configured.

Post-install checklist

  • Authentication mode: Choose Windows-only or Mixed Mode depending on your app requirements.
  • Backups: Set up regular backups (full/diff/log) based on change rate and recovery objectives.
  • Performance basics: Verify indexes, set appropriate file growth, and monitor memory usage (Express cap is 1 GB per instance).
  • Security: Restrict inbound access, use strong passwords, and patch regularly.

Summary

Windows 11 limits SMB connections (20) and allows only one interactive RDP session, but it does not impose a limit on TCP connections to SQL Server Express. SQL Express caps database size, memory, and CPU, not connection count. For higher concurrency and production workloads, Windows Server with SQL Server Standard or Enterprise is the recommended path.

Bitlocker, Microsoft, Microsoft Windows

XTS‑AES 256‑bit encryption in Windows | Bitlocker

Leave a comment

Kapothi legacy post: XTS‑AES 256‑bit encryption in Windows

Seal your restored archives inside a sovereign capsule — by law (Group Policy) or by ritual (PowerShell).

What is XTS‑AES 256‑bit encryption?

XTS is a mode of operation designed for disk encryption. It encrypts data by sector and resists manipulation by binding encryption to the physical layout of the disk.

AES 256‑bit uses a 256‑bit key, offering extremely strong protection against brute‑force attacks and aligning with modern enterprise standards.

Combined, XTS‑AES 256 is the industry standard for full‑disk and volume encryption, used by tools like BitLocker and VeraCrypt to protect sensitive archives.

“The capsule holds the scrolls, the cipher seals them — together they become unbreakable legacy.”

What is the default in Windows?

By default, BitLocker uses XTS‑AES 128‑bit encryption for new volumes. It’s efficient and secure, but archivists often choose XTS‑AES 256‑bit for maximum resilience and future‑proofing.

Enable XTS‑AES 256‑bit with Group Policy (system‑wide default)

  1. Press Win + R, type gpedit.msc, and press Enter.
  2. Navigate to:
    Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
  3. Open Choose drive encryption method and cipher strength for each drive type you use.
  4. Set the policy to Enabled and choose XTS‑AES 256‑bit.
  5. Apply and restart Windows.

Enable XTS‑AES 256‑bit with PowerShell (per‑drive ritual)

BitLocker requires a protector (password, recovery key, TPM, etc.). The correct ritual is a three‑step sequence:

Step 1: Enable BitLocker with a password protector

Enable-BitLocker -MountPoint "Y:" -PasswordProtector -EncryptionMethod XtsAes256

Step 2: Add a recovery key protector

Add-BitLockerKeyProtector -MountPoint "Y:" -RecoveryPasswordProtector

Step 3: Verify encryption and protectors

Get-BitLockerVolume -MountPoint "Y:"

Replace Y: with your drive letter. This ensures the capsule is sealed with XTS‑AES 256‑bit and has redundant unlock methods.

Optional: Create and encrypt a VHD capsule

  1. Create VHD: Open Disk Management → Action → Create VHD → choose location/size → initialize (GPT) → format (NTFS).
  2. Assign a drive letter (e.g., Y:).
  3. Encrypt with the three‑step PowerShell ritual above.
  4. Save the recovery key to an offline location (print or store in a separate, secured archive).

Verify BitLocker Encryption Strength

You can confirm whether a drive is sealed with XTS‑AES 128 or XTS‑AES 256 using these commands:

PowerShell

Get-BitLockerVolume -MountPoint "Y:" | fl

Command Prompt

manage-bde -status Y:

Replace Y: with your drive letter. Both commands will display the Encryption Method, showing whether the capsule is protected with XTS‑AES 128 or XTS‑AES 256.

Troubleshooting common errors

  • Access denied: Run PowerShell as Administrator.
  • Not associated with BitLocker volume: Ensure the drive is mounted, initialized, and formatted.
  • Parameter set cannot be resolved: Only one protector can be used with Enable-BitLocker. Add others afterwards with Add-BitLockerKeyProtector.

“The capsule must be mounted, the scroll must be formatted, and the ritual must be invoked with authority.”

Kapothi editorial note: This scroll now includes the corrected three‑step PowerShell ritual, stylized command boxes, and troubleshooting guidance for archivists sealing their capsules.