💡 Your WinRice experience can be customized. Please read Settings.md to learn more.
| Category | Link |
|---|---|
| Apps | Click here |
| Features | Click here |
| Privacy | Click here |
| Security | Click here |
| OS | Click here |
| Windows Explorer | Click here |
| Symbol | Significance |
|---|---|
| 🎛️ | Tasks prefixed with 🎛️ "control knob" emoji are such tasks which are only run when they are configured. You may learn more by visiting Settings.md. |
| 🧪 | Tasks prefixed with 🧪 "test tube" emoji behave differently when device is detected to be flighting in the Windows Insider Program. |
-
HEVC Video Extensions
-
Visual C++ Libraries
-
Windows Package Manager (GitHub)
Refer to App-uninstallation.md
- Microsoft Store
- Office
- Xbox
- .NET 3.5
- Windows Sandbox
- Windows Subsystem for Linux
- DirectPlay
- Legacy Components
- Math Recognizer
- SMB 1 Protocol
- SMB Direct
- Snipping Tool (Windows 10)
- Windows Fax & Scan
- Windows Hello Face (if no Camera is connected to device)
- Windows PowerShell ISE
- Windows PowerShell v2
- Windows XPS Features
- XPS Document Writer
- WordPad
- Work Folders Client
- Advertising ID
- App suggestions
- Error reporting
- Inking & typing personalization
- Online speech recognition
- Tailored Experiences
- Websites' access to language list to provide locally relevant content
- 🧪 Diagnostic data
- 🧪 Feedback notifications
🔔 Check notes
- Clipboard history
After a device restarts after applying a Windows Update, it stays on the lock screen and awaits manual login from a user.
Digest Authentication is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate.
This is where WDigest comes into play, something to be concerned with related to WDigest is that it stores passwords in clear-text, in memory. If a malicious user has access to an endpoint and is able to run a tool like Mimikatz, not only would they get the hashes currently stored in memory, but they’d also be able to get the clear-text password for the accounts as well.
WinRice disables WDigest Credential Caching on all devices.
See more at What is Digest Authentication?: Logon and Authentication - docs.microsoft.com.
LLMNR was (is) a protocol used that allowed name resolution without the requirement of a DNS server. It was (is) able to provide a hostname-to-IP based off a multicast packet sent across the network asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query. Windows will use LLMNR in certain circumstances to identify certain machines on the network, such as file-servers. If Windows attempts to use LLMNR to identify the server of a file-share and it receives a reply, it will send the current user’s credentials directly to that server assuming it wouldn’t have replied if it wasn’t the authoritative file-server. If that LLMNR received response was actually an impersonator, Windows just disclosed that user’s credential hash to a third-party. What’s worse? The impersonator may forward that packet to the actual file-server, so the user never realizes anything is amiss.
WinRice disables LLMNR on all devices.
See more at How to Disable LLMNR & Why You Want To - Black Hills Information Security - blackhillsinfosec.com.
This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect your device.
WinRice enables Structured Exception Handling Overwrite Protection on all devices.
WPAD is a protocol, developed in 1999 by people from Microsoft and other technology companies, that allows computers to automatically discover which web proxy they should use. The proxy is defined in a JavaScript file called a proxy auto-config (PAC) file.
The location of PAC files can be discovered through WPAD in several ways: through a special Dynamic Host Configuration Protocol (DHCP) option, through local Domain Name System (DNS) lookups, or through Link-Local Multicast Name Resolution (LLMNR).
Attackers can abuse these options to supply computers on a local network with a PAC file that specifies a rogue web proxy under their control. This can be done on an open wireless network or if the attackers compromise a router or access point.
WinRice disables Web Proxy Auto-Discovery or WPAD on all devices.
See more at Disable WPAD now or have your accounts and private data compromised - csoonline.com.
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.
WinRice enables LSA Protection on all devices.
See more at Configuring Additional LSA Protection.
Numerous spam campaigns are pushing various crypto-ransomware families (and backdoors) via ZIP file attachments. And such ZIP files typically contain a JScript (.js/.jse) file which, if clicked, will be run via Windows Script Host.
Since Windows Script Host is also not used by personal PC users, WinRice disables this feature.
See more at How-To Disable Windows Script Host - blog.f-secure.com.
OLE allows an editing application to export part of a document to another editing application and then import it with additional content. For example, a desktop publishing system might send some text to a word processor or a picture to a bitmap editor using OLE. OLE is misused by malware and is often treated by some as an exploit.
WinRice disables Office OLE.
See more at 111 Attacking EvilCorp Anatomy of a Corporate Hack Sean Metcalf Will Schroeder - youtube.com.
- Consolidator
- DmClient
- DmClientOnScenarioDownload
- Disk Diagnostics Data Collector
- Feedback Notifications task
- Microsoft Compatibility Appraiser
- ProgramDataUpdater
- QueueReporting
- UsbCeip
- AMDLinkUpdate
- AMDRyzenMasterSDKTask
- ModifyLinkUpdate
- StartCN
- StartDVR
This is useful for OEM devices which ship with a lot of power options hidden by default. WinRice restores them to the user.
Screen shot of Advanced power settings applet
Things disabled:
- Autoplay & Autorun.
- Hibernation (desktop only).
- Windows welcome experience after an update which shows what's new.
- Tips and suggestions when using Windows.
Things enabled:
- 🎛️ OS may be enabled to follow UTC if its set to follow BIOS time.
- Num lock on startup.
- Long path support.
Setup the following policies to Windows Update:
- Turn off automatic updates
- Do not auto restart PC if users are signed in
- Delay feature updates by 20 days
- Delay quality updates by 4 days
- Turn off re-installation of bloatware after feature updates
- Turn off Delivery Optimization
- Reset Windows Update is available for users who want to switch back to stock Windows Update settings.
| Item | Area Affected | OS |
|---|---|---|
| Widgets icon | Taskbar | Windows 11 |
| Chat icon | Taskbar | Windows 11 |
| Search icon | Taskbar | Windows 11 and 10 |
| Task view | Taskbar | Windows 11 and 10 |
| Cortana | Taskbar | Windows 10 |
| 3D Objects | File Explorer sidebar | Windows 10 |
| Meet now | Other system tray icons | Windows 10 |
| News and interests | Other system tray icons | Windows 10 |
- Set File Explorer to open This PC by default.
- Turn off Keyboard shortcut for Sticky keys.
- If ShareX is installed, WinRice disables the Print Screen key behavior of launching the Snipping Tool.
- If the taskbar is detected to have incorrect window preview behavior for opened apps, an attempt is made to fix it.
-
WinRice sets your Diagnostic data to Required level. On devices running Windows pre-release software, Diagnostic data is set to Optional level.
-
Error reporting is not disabled in Windows pre-release software.
-
Feedback notifications are not disabled in Windows pre-release software.
-
Windows Update policies are not applied in Windows pre-release software.
-
Windows Update policies are only applied to Windows editions that support Group policies. These are Education, Enterprise, Enterprise LTSC and Professional editions. Windows editions that are derivates of Windows Core edition (for instance, Windows 11 / 10 Home) do not support Group policies, and as a result Windows Update policies cannot be applied to them.
If you have observed an issue with docs or if there are accessibility issues, please consider filing an issue.