Microsoft Windows, PowerShell

Kapothi Guide: Uninstalling Software with PowerShell & Winget

Leave a comment

Why This Matters: Uninstalling software from the command line is faster, scriptable, and avoids digging through Control Panel menus. With PowerShell and Winget, you can remove apps cleanly and automate the process.

⚙️ Command Method (WMIC / WMIObject)

# List installed programs
wmic product get name

# Uninstall by exact name
wmic product where name="Software Name" call uninstall

💡 Alternative modern PowerShell:

Get-WmiObject -Class Win32_Product |
  Where-Object { $_.Name -eq "Software Name" } |
  ForEach-Object { $_.Uninstall() }

⚙️ Winget Method (Modern Windows Package Manager)

# List all installed apps
winget list

# Uninstall by name
winget uninstall "System Mechanic"

# Batch uninstall multiple apps
winget uninstall "Viber"
winget uninstall "Webex"

📌 Takeaway

With these two methods, Kapothi admins can keep their systems clean and efficient without ever opening Control Panel.

Microsoft, Microsoft Windows

Kapothi Wi‑Fi Ritual: Backup & Restore Your Wireless Keys

Leave a comment

අපේ Kapothi ගැටලුවක්: Windows reinstall or new PC එකක් ගන්නකොට Wi‑Fi password එක මතක නැතිව offline වෙලා යන එක. මේකේ solution එක තමයි Wi‑Fi profiles backup & restore ritual එක.

Kapothi Note 🪶:
Before running the backup command, create a folder where you want to save your Wi‑Fi profiles — for example, C:\WiFiBackup.

⚠️ If you created the backup folder on your C drive, make sure to copy that folder to another drive or external storage before formatting or restoring your computer. Otherwise, your Wi‑Fi backups will be lost during the reinstall.
Kapothi Command Box — Backup
# Step 1: Run CMD as Administrator
→ Win+R → cmd → Ctrl+Shift+Enter

# Step 2: Export all Wi-Fi profiles with passwords
netsh wlan export profile folder=C:\WiFiBackup key=clear

# Output:
→ XML files saved in C:\WiFiBackup
→ Each file contains SSID + password
Kapothi Command Box — Restore
# Step 1: Copy XML files to target PC
→ Example: C:\WiFiBackup

# Step 2: Import profile back
netsh wlan add profile filename="C:\WiFiBackup\ProfileName.xml"

# Result:
→ Wi-Fi network restored with original password

Notes

  • netsh wlan show profiles → Lists saved SSIDs.
  • netsh wlan export profile → Dumps all profiles into XML.
  • netsh wlan add profile → Restores them on another PC.
  • Handle XML files carefully — they contain plain text passwords.
Active Directory, Audit, PowerShell

Active Directory Audit Checklist: Privileged Access & Inactive User Reviews with PowerShell

Leave a comment

🧾 Kapothi Audit Scroll: Forgotten Access Reviews

Auditors flagged: “User access reviews and privileged access reviews are not being conducted for users within Active Directory.” — a classic Kapothi moment.

When auditors raise this finding, it means the organization has not been regularly checking who has access to Active Directory and whether those users still need it. In practice, accounts may remain active long after employees leave, contractors finish projects, or service accounts are created without proper documentation. Privileged groups like Domain Admins or Enterprise Admins may also accumulate members who no longer require elevated rights. This creates a serious security gap — attackers love stale accounts and unused privileges because they are rarely monitored.

The IT department’s responsibility is to close this gap by:

  • Reviewing privileged groups — Identify all members of high‑risk groups and confirm with management that each one still requires access.
  • Checking inactive accounts — Generate reports of users who haven’t logged in for 30 or 60+ days, then disable or remove them after manual review.
  • Documenting approvals — Keep CSV exports and manager sign‑offs as audit evidence to prove reviews are being conducted.
  • Maintaining service accounts — Ensure every service account has a clear owner, documented purpose, and is excluded from bulk disable actions.
  • Repeating regularly — Schedule these reviews (monthly or quarterly) so auditors see a consistent compliance routine.

In short, the audit flag is a warning that access hygiene has slipped. The IT team must demonstrate control by producing evidence of reviews, showing that inactive accounts are cleaned up, and proving that privileged access is tightly managed. That’s how the Kapothi moment is turned into compliance success.

⚡ Privileged Access Review


  # List privileged accounts
  Get-ADGroup -Filter {Name -like "*Admin*"} |
  ForEach-Object { Get-ADGroupMember $_ |
  Select-Object @{Name="Group";Expression={$_.objectClass}}, Name, SamAccountName }

⚡ Inactive User Review (30 Days)


# Find enabled accounts inactive for 30 days
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 30.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Select-Object Name, SamAccountName, LastLogonDate


# Export inactive accounts (30 days) to CSV for audit evidence
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 30.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Select-Object Name, SamAccountName, LastLogonDate |
Export-Csv "InactiveUsers_30Days.csv" -NoTypeInformation

⚡ Optional Cleanup (Disable 60+ Days)


# OPTIONAL ⚠️ Cleanup Command
# Risk: This can disable service accounts or rarely used but valid accounts.
# Recommended: First run the 30-day inactive user listing command above, review manually,
# and only disable accounts after confirming they are safe to remove.
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 60.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Disable-ADAccount

⚡ Sensitive Group Memberships


  # Export key group memberships
  $groups="Domain Admins","Enterprise Admins","Schema Admins","Remote Desktop Users","Backup Operators";
  $groups | ForEach-Object {
    Get-ADGroupMember -Identity $_ |
    Select-Object @{Name="Group";Expression={$_}},Name,SamAccountName
  } | Export-Csv "AD_GroupMemberships.csv" -NoTypeInformation

⚡ Full AD Group Memberships (One Line)


  # Export all groups with members
  Get-ADGroup -Filter * | ForEach-Object { $g=$_.Name; 
    Get-ADGroupMember $g |
    Select-Object @{Name="Group";Expression={$g}},Name,SamAccountName 
  } | Export-Csv "All_AD_GroupMemberships.csv" -NoTypeInformation

Thus the Kapothi was resolved: from audit red flag to compliance evidence, with scrolls of PowerShell wisdom.

Microsoft, Microsoft Windows

HWID Activation in Windows 10/11 – The Digital License That Never Expires

Leave a comment

🔑 HWID Activation in Microsoft

HWID (Hardware ID) Activation is a Microsoft digital license method that permanently activates Windows 10/11 by tying the activation to your device’s hardware profile. Once activated, the license is stored online and automatically reapplied after reinstallations, as long as the hardware remains the same.

🔎 What HWID Activation Means

  • HWID = Hardware ID → A unique fingerprint of your PC’s hardware (CPU, motherboard, etc.) is generated and registered with Microsoft’s activation servers.
  • Digital License → Instead of a product key, Windows uses this hardware fingerprint to grant a permanent license.
  • Persistence → If you reinstall Windows 10/11 on the same machine, it will auto‑activate again once connected to the internet.
  • Scope → Works for Windows 10/11 Home, Pro, Education, Enterprise editions. Not supported for Windows Server or older versions like Windows 7/8.1.

⚡ Key Characteristics

  • Permanent Activation: No expiry, unlike KMS (180 days).
  • Internet Required: At least once, to register the hardware fingerprint with Microsoft.
  • No Product Key Needed: After initial activation, reinstallations don’t require re‑entering a key.
  • Device‑Bound: Major hardware changes (like motherboard replacement) may invalidate the HWID license.

🧩 Comparison with Other Activation Methods

Method Products Supported Duration Internet Needed Notes
HWID Windows 10/11 Permanent Yes Digital license tied to hardware
KMS (Online) Windows/Office 180 days Yes Needs renewal task
Ohook Office Permanent No For Office products
TSforge Windows/Office/ESU Permanent Yes (new builds) Used for extended security updates

⚠️ Risks & Considerations

  • Legitimacy: HWID activation is official, but many third‑party “HWID activators” exploit it. These are not authorized by Microsoft and may violate licensing terms.
  • Security: Downloading activators from unverified sources can expose you to malware.
  • Hardware Changes: Major upgrades (motherboard replacement) may invalidate the HWID license.

✅ Practical Takeaway

HWID activation is Microsoft’s way of giving you a lifetime digital license for Windows 10/11 tied to your hardware. If you’re using genuine Windows, you don’t need to worry about product keys after the first activation. If you’re considering third‑party activators, be cautious — they replicate Microsoft’s HWID process but are unofficial and carry risks.

Exchange 2019

How to Fix Exchange Spam Queue from a Compromised Mailbox (Kapothi Ritual Guide)

Leave a comment

🌄 Introduction

If you’ve ever woken up to find your Microsoft Exchange server queues overflowing with spam, you know the panic it brings. Outbound messages pile up, inboxes go silent, and your domain risks being blacklisted. This guide shares a real incident response: how we identified the compromised mailbox ([email protected]), reset its password, purged the Exchange queue with PowerShell, and traced the attacker’s IP using IIS logs.

By walking through these steps — containment, queue cleanup, IIS log filtering, inbox rule audit, and mailbox permission checks — you’ll learn how to stop spam at the source and harden your Exchange environment against future attacks.

⚡ Morning Containment Ritual

First, we identified the spammer in Exchange Toolbox → Queue Viewer, reset the password, and purged the queue.

# Reset the compromised account password
Set-ADAccountPassword -Identity [email protected]

# (Optional) Disable the account temporarily to freeze access
Disable-ADAccount -Identity [email protected]
# Purge spam messages from Exchange queue
Get-Queue | Get-Message |
Where {$_.FromAddress -eq [email protected]} |
Remove-Message -WithNDR $false

🔎 IIS Log Filtering

We confirmed the login source by filtering IIS logs.

# Filter IIS logs for the account
Select-String -Path “C:\inetpub\logs\LogFiles\W3SVC1\u_ex260430.log”
-Pattern [email protected]
| Out-File C:\Temp\dc02_iis_filtered.log

🔎 IIS Log Sample Extraction

To create a smaller sample of the filtered IIS log for analysis:

# Extract first 200 matching lines from filtered IIS log
Select-String -Path “C:\Temp\dc02_iis_filtered.log”
-Pattern [email protected]
| Select-Object -First 200
| Out-File C:\Temp\dc02_sample.log

📜 Inbox Rule Audit

We found and removed a malicious rule named DELETE.

# Inspect inbox rules
Get-InboxRule -Mailbox [email protected]

# Inspect specific rule
Get-InboxRule -Mailbox [email protected]
-Identity “RuleName” | Format-List

# Remove malicious rule
Remove-InboxRule -Mailbox [email protected]
-Identity “RuleName”

🛡️ Mailbox Permission Audit

We confirmed no rogue delegates were added.

# Audit mailbox permissions
Get-MailboxPermission -Identity [email protected]

📖 Lessons Learned

  • Attackers often use inbox rules to hide their tracks.
  • IIS logs reveal the true client IP.
  • Password resets and queue purges are the fastest containment.
  • MFA and conditional access are the long‑term shields.

🌌 Closing

This Kapothi scroll reminds us: even in the quiet shrine‑home observatory, vigilance is ritual. The inbox can be turned against us, but with methodical steps — Contain → Eradicate → Recover → Audit → Harden — balance is restored.

Windows 10, Windows 11

Fix Bluetooth Earbud Sound by Disabling Hands‑Free Telephony in Windows

Leave a comment
Fix Bluetooth Earbud Sound: Disable Hands-Free Telephony Windows

Fix Bluetooth Earbud Sound by Disabling Hands‑Free Telephony in Windows

Many Bluetooth earbuds sound great on phones but poor on laptops. This happens because Windows often connects them in Hands‑Free Telephony (HFP/HSP) mode, which prioritizes the mic but drastically reduces audio quality. To get rich stereo sound, you need to force Stereo (A2DP) mode.

Step 1: Check Playback Devices

  1. Right‑click the speaker icon in the taskbar.
    • Windows 10: Choose Sounds.
    • Windows 11: Choose Sound Settings, scroll down, and click More sound settings.
  2. Go to the Playback tab.
  3. Look for two entries for your earbuds:
    • Headset (Hands‑Free AG Audio): Low quality, mono sound.
    • Headphones (Stereo): High quality, rich audio.
  4. Select Headphones (Stereo) and click Set Default.

Step 2: Disable Hands‑Free Telephony

This is the “permanent fix” that prevents Windows from switching back to low-quality audio.

  1. Open Control PanelHardware and SoundDevices and Printers.
  2. Find your earbuds under the “Devices” section. Right‑click them and choose Properties.
  3. Go to the Services tab (wait a few seconds for it to load).
  4. Uncheck the box for Hands‑Free Telephony.
  5. Click Apply. Your earbuds may disconnect and reconnect automatically.
Important Note: Disabling this service turns off the earbud’s built-in microphone. You will need to use your laptop’s internal mic for Zoom or Discord calls.

Step 3: Enable Audio Enhancements

Once your earbuds are locked in Stereo mode, you can further improve the depth of the audio.

  1. Return to the Playback tab (from Step 1).
  2. Select your Stereo Headphones → click Properties.
  3. Open the Enhancements tab. (Note: If this tab is missing, your hardware uses a third-party app like Realtek or Dolby for these settings).
  4. Enable the following:
    • Bass Boost: Adds depth and punch to low frequencies.
    • Loudness Equalization: Balances volume for a fuller sound.
  5. Click ApplyOK.

Result

By removing the Hands-Free bottleneck, your Bluetooth earbuds will sound richer, warmer, and closer to phone‑level quality—even on older hardware. You can re-enable the service at any time if you find you specifically need the earbud mic for a call.

Conclusion

Unlocking the Stereo (A2DP) profile is the best way to enjoy music and movies on Windows. While you lose the earbud microphone, the massive jump in audio quality is almost always worth the trade-off.

Windows 11

Fix Smart App Control Blocking Apps in Windows 11

Leave a comment

Fix Smart App Control Blocking Apps in Windows 11

Windows 11 includes Smart App Control, a security feature that blocks apps it doesn’t recognize. This helps protect your PC, but sometimes it blocks safe apps like dongle drivers or setup tools. Here’s how to fix it.

Step 1: Check the Blocked App

If you see a message like “Smart App Control blocked an app that may be unsafe”, note the file name (for example, Setup.exe from a 4G dongle).

Step 2: Disable Smart App Control Temporarily

To install trusted software, you can turn off Smart App Control:

  1. Open Settings.
  2. Go to Privacy & Security → Windows Security → App & Browser Control.
  3. Select Smart App Control settings.
  4. Switch it Off (requires a restart).

Step 3: Install the Software

After restarting, run the installer again. It should now work without being blocked.

Step 4: Re‑Enable Smart App Control

Once the software is installed, go back to the same settings and turn Smart App Control On again to keep your PC protected.

Alternative: Use Official Drivers

For extra safety, download the latest drivers directly from the manufacturer’s website instead of using the bundled installer on the device.

Conclusion

Smart App Control is useful for security, but sometimes it blocks apps you trust. By disabling it temporarily, installing your software, and then turning it back on, you can balance safety with functionality.

Microsoft Windows, Windows 10, Windows 11

Fix Missing or Corrupted Windows Files with DISM and SFC

Leave a comment

Fixing Missing or Corrupted Windows Files with DISM and SFC

When Windows system files go missing or get corrupted, tools may stop working or show errors. Instead of copying files manually, the safest way is to use DISM and SFC. These built‑in commands repair and restore system files automatically.

Step 1: Repair the Windows Image with DISM

# Repair the Windows image
DISM /Online /Cleanup-Image /RestoreHealth

This checks the Windows component store and repairs it. Run this first before using SFC.

Step 2: Scan and Fix System Files with SFC

# Scan and fix system files
sfc /scannow

This scans all protected system files and replaces any that are missing or corrupted. Restart your computer after repairs.

More Useful DISM Options

# Quick check, no changes
DISM /Online /Cleanup-Image /CheckHealth

# Deep scan, no repair yet
DISM /Online /Cleanup-Image /ScanHealth

# Restore health using local source (ISO)
DISM /Online /Cleanup-Image /RestoreHealth /Source:D:\Sources\install.wim /LimitAccess
  • CheckHealth → Quick check, tells you if corruption exists.
  • ScanHealth → Deep scan, confirms the extent of corruption.
  • RestoreHealth → Repairs corruption using Windows Update or a local source.
  • Source option → Useful if Windows Update is disabled; point DISM to a local ISO or installation media.

Step 3: Verify the Repair

If SFC reports “Windows Resource Protection did not find any integrity violations”, your system files are healthy. Tools like Remote Desktop (mstsc.exe) should now open without errors. If problems remain, run Windows Update or consider an in‑place repair install.

Conclusion

Whenever Windows system files go missing or get corrupted, DISM + SFC is the safest and most reliable fix. With DISM’s extra options, you can check, scan, and repair in different ways — making it a powerful tool for any Windows troubleshooter.

Hyper-v, PowerShell

Kapothi Scroll: Banishing the Ghost VM in Hyper‑V

Leave a comment

Kapothi Scroll: Banishing the Ghost VM in Hyper‑V

Kapothi — Sinhala slang for “getting into a big problem.” This scroll documents how we untangled one such haunting: a phantom VM that refused to die, flooding Event Viewer with endless errors.

🌀 The Symptom

Failed to load Hyper-V state for virtual machine 'MEGATRON-SVR-KAP-DSTN-04'
from the configuration: Unspecified error (0x80004005).
(Virtual machine ID 287FCA31-68ED-43C1-8B35-0452C2EDF743).
Hyper-V may not work properly. An attempt to reload the configuration will be made in a few minutes.

🔎 The Investigation Ritual

Check replication status

# PowerShell
Get-VMReplication -VMName "MEGATRON-SVR-KAP-DSTN-04"

→ Showed replication normal, so the issue wasn’t with Replica.

Try removing replication

# PowerShell
Remove-VMReplication -VMName "MEGATRON-SVR-KAP-DSTN-04" -Force

→ Command worked only with -VMName, not -VMId.

Search filesystem and registry

  • Looked under C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines
  • Checked registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization

→ No folder or key for the GUID found.

Inspect WMI repository

# PowerShell
Get-WmiObject -Namespace root\virtualization\v2 -Class Msvm_ComputerSystem |
Where-Object { $_.Name -eq "287FCA31-68ED-43C1-8B35-0452C2EDF743" }

→ Found the ghost entry still alive in WMI, status Degraded.

Check VM list

# PowerShell
Get-VM

→ VM showed as SavedCritical with “Cannot connect to virtual machine configuration storage.”

⚔️ The Cleansing Ritual

Remove ghost from WMI

# PowerShell
Get-WmiObject -Namespace root\virtualization\v2 -Class Msvm_ComputerSystem |
Where-Object { $_.Name -eq "287FCA31-68ED-43C1-8B35-0452C2EDF743" } |
Remove-WmiObject

Force remove VM object

Remove-VM -Name "MEGATRON-SVR-KAP-DSTN-04" -Force

or

Remove-VM -Id "287FCA31-68ED-43C1-8B35-0452C2EDF743" -Force

Purge leftover config files

  • Search for GUID‑named files (287FCA31-68ED-43C1-8B35-0452C2EDF743) under:
    • C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines
    • Replica storage paths (e.g., E:\Hyper-V\Replica\...)

Restart services

Restart-Service vmms

🌑 Final Cleansing (WMI Repository Reset)

If the ghost still lingers after all steps, reset the WMI repository:

net stop winmgmt
winmgmt /resetrepository
net start winmgmt

⚠️ Note: This is the last resort — it rebuilds the entire WMI repository, clearing any corrupted or stale entries.

✅ The Outcome

  • Event Viewer spam stopped.
  • Get-VM no longer listed the ghost VM.
  • Replication remained healthy for other VMs.

📜 Ritual Reflection

The ghost scroll wasn’t just in the shelves (registry) or archives (ProgramData) — it hid in the secret catalog (WMI). Hyper‑V kept trying to read it, failing each time. By purging the catalog entry, removing the VM object, and finally resetting the repository, the shrine keeper’s chant of errors was silenced.

✨ Kapothi Lesson: When Hyper‑V haunts you with “Failed to load state” errors, cleanse all three layers — filesystem, registry, and WMI. If the ghost still lingers, reset the repository to rebuild the shrine’s catalog from scratch.

Active Directory

Kapothi Scroll: Rebooting Domain Controllers and FSMO Roles

Leave a comment

Kapothi Scroll: Rebooting Domain Controllers and FSMO Roles

Kapothi — Sinhala slang for “getting into a big problem” — is our reminder that even in IT, what looks like disaster can be turned into wisdom. Today’s scroll: Do you need to transfer FSMO roles before rebooting a domain controller?

🏛 The Setup

  • Two domain controllers: Server1 and Server2.
  • All FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master) are on Server1.
  • Question: If you reboot Server1, must you transfer all roles to Server2 first?

🔎 The Truth

No, you don’t need to transfer FSMO roles for a short reboot. Server2 will continue authenticating users, handling DNS, and keeping AD alive. FSMO roles are only required for specific operations (schema changes, RID allocation, time sync from PDC). These can pause briefly without breaking daily logons.

✅ Pre‑Reboot Checklist

Before rebooting Server1, confirm Server2 is healthy:

# Replication health
repadmin /replsummary

# DNS resolution
nslookup yourdomain.local Server2_IP

# Time sync status
w32tm /query /status

# FSMO role holders
netdom query fsmo
  • Ensure Server2 is a Global Catalog (check in Active Directory Sites and Services).
  • Verify clients have Server2’s IP in their DNS list (ipconfig /all).

⚖️ When to Transfer FSMO Roles

  • If Server1 will be offline for days or weeks.
  • If you plan to decommission Server1.
  • If you need high availability for RID allocation or schema changes.

In those cases, transfer FSMO roles to Server2. Otherwise, a simple reboot is safe.

🌌 Kapothi Takeaway

  • Short reboot? No FSMO transfer needed.
  • Long absence or decommission? Transfer roles.
  • Always check replication, DNS, and Global Catalog before reboot.

Kapothi reminds us: what looks like a big problem is often just a small ritual, if you know the scrolls.