Skip to content

Latest commit

 

History

History
1127 lines (698 loc) · 78.2 KB

post-install.md

File metadata and controls

1127 lines (698 loc) · 78.2 KB
Raw

Post-Install Instructions

Important

As mentioned in the README, this section is not designed to be followed on existing Windows installations due to apparent inconsistencies between systems. At this stage, you should be booted into the ISO that you created with the steps in docs/pre-install.md. If you have no idea what this means, then go back to the pre-install instructions in the document linked above and follow the instructions from start to finish.

Table of Contents

Preliminary Notes

  • Avoid applying or using random, unknown or undocumented changes and programs on your system without a comprehensive understanding of what they are changing and what impact they have on security, privacy and performance. Large all-in-one projects and closed-sourced software usually obfuscate changes being made which make it difficult to understand what goes on under the hood

  • Try to favor free, open source and reputable software. Stay away from proprietary software where you can and ensure to scan files with VirusTotal before running them

OOBE Setup

  • Windows Server may force you to enter a password which can be removed in later steps

  • If you are configuring Windows 11, press Shift+F10 to open CMD and execute oobe\BypassNRO.cmd. This will allow us to continue without an internet connection by unlocking the continue with limited setup option as demonstrated in the video examples below

  • See media/oobe-windows7-example.mp4

  • See media/oobe-windows8-example.mp4

  • See media/oobe-windows10+-example.mp4

  • Windows Server Only:

    • To enable Wi-Fi, navigate to Manage -> Add Roles and Features in the Server Manager dashboard and enable Wireless LAN Service

Unrestricted PowerShell Execution Policy

This is required to execute the scripts within the repository. Open PowerShell as administrator and enter the command below.

Set-ExecutionPolicy Unrestricted

Merge the Registry Options

Warning

🔒 Some changes outlined in the table below may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting.

The registry settings are merged with the apply-registry.ps1 script. As for which options get applied as outlined in the table below, this can be customized by editing C:\bin\registry-options.json in a text editor and setting properties to either true or false. You can safely backup the config file so that you don't need to modify it each time.

Important

The script does not revert options if re-run. For example, if the script was run with an option set to true, then running the script with a given option set to false will not revert the changed made as the script is unaware of the previous state of the registry keys associated with the option. This functionality may be implemented in the future but for now, use the -get_option_keys <option> argument with the script to get all relevant keys for a given option so that you can be reverted manually

Option Notes Default Value
disable windows update 🔒 A value of true may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting

Telemetry, intrusive, prevents CPU overhead and prevents installation of unwanted updates. Disabling Windows Update is in Microsoft's recommendations for configuring devices for real-time performance (1)		 true
disable automatic windows updates Prevents automatic download and installation of Windows updates as the process can be intrusive compared to disabling Windows Update completely. This option is overridden if disable windows update is set to true true
disable driver installation via windows update Prevents outdated, vulnerable and bloated drivers from being installed via Windows Update. It is recommended to manually only install ones that you require along with the latest version directly from the manufacture's website as outlined in the Install Drivers section. This option is overridden if disable windows update is set to true true
disable user account control 🔒 A value of true may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting

Eliminates this intrusive UAC elevation prompt. Disabling UAC may negatively impact security as all processes are run with Administrator privileges by default (1, 2)		 false
disable windows marking file attachments with information about their zone of origin 🔒 A value of true may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting

Prevents this intrusive security warning as downloaded files are constantly required to be unblocked however this may negatively impact security as the user will not be notified of blocked files as a security warning (1)		 true
disable windows defender 🔒 A value of true may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting

Prevents CPU overhead and interferes with the CPU operating in C-State 0 (1)		 true
disable PC is out of support message Disables this intrusive message true
disable automatic maintenance Intrusive true
disable search indexing Prevents CPU overhead as files are indexed constantly in the background true
disable program compatibility assistant Prevent Windows applying changes anonymously after running troubleshooters true
disable customer experience improvement program Telemetry (1) true
disable fault tolerant heap Prevents Windows autonomously applying mitigations to prevent future crashes on a per-application basis (1) true
disable sticky keys Disables the Do you want to turn on Sticky Keys? promt when the hotkey is pressed a certain number of times. This is severely intrusive in applications that utilize the Shift key for controls such as games true
disable pointer acceleration Ensures one-to-one mouse response for games that do not subscribe to raw input events and on Desktop true
disable fast startup Interferes with shutting down true
disable hibernation Eliminates the need for a hibernation file. It is recommended to shut down instead. This option is overridden if disable fast startup is set to true true
disable windows error reporting Telemetry true
reserve 10% of CPU resources for low-priority tasks instead of the default 20% On an optimized system with few background tasks, it is desirable to allocate most of the CPU time to the foreground process (1) true
disable remote assistance Security risk true
show file extensions Security risk true
disable corner navigation Disables corner navigation which may become intrusive true
disable search the web or display web results in search Telemetry true
disable notifications network usage Telemetry, prevents CPU overhead due to polling (1) true
disable sign-in and lock last interactive user after a restart Intrusive true
disable gamebarpresencewriter Prevents CPU overhead as the process runs constantly in the background even if the user disables Game Bar in settings true
disable telemetry Telemetry true
disable retrieval of online tips and help in the immersive control panel Telemetry true
enable the legacy photo viewer Alternative option to the Windows Photos app true
disable typing insights Telemetry true
disable transparency Prevents CPU overhead (1) true
disable background apps Disabled via policies as the option is not available in the interface on Windows 11 true
disable suggestions in the search box and in search home Telemetry and intrusive true
allocate processor resources primarily to programs On client editions of Windows, this has no effect from the default behavior but is changed to ensure consistency between all editions including Windows Server true

  • Open PowerShell as administrator and enter the command below

    C:\bin\apply-registry.ps1

  • If the command fails, try to disable tamper protection in Windows Defender (Windows 10 1909+). If that doesn't work, reboot then re-execute the command again

  • Ensure that the script prints a "successfully applied" message to the console, if it does not then the registry files were not successfully merged

  • After and only after a restart, you can establish an internet connection as the Windows update policies will take effect

Visual Cleanup

Disable features on the taskbar, unpin shortcuts and tiles from the taskbar and start menu.

Install Drivers

  • Chipset drivers are typically not required but if they are, their functionality can most likely be replicated manually with the advantage being no overhead from the drivers constantly running and forcing unnecessary context switches. An example of this would be the AMD chipset drivers used to manage per-CPU load for scheduling threads on the V-Cache CCX/CCD which can easily be achieved manually as described in the Per-CPU Scheduling section (1)

  • GPU drivers will be installed in the Configure the Graphics Driver section so do not install them at this stage

  • You can find drivers by searching for drivers that are compatible with your device's HWID. See media/device-hwid-example.png in regard to finding your HWID in Device Manager for a given device

  • Try to obtain the driver in its INF form so that it can be installed in Device Manager as executable installers usually install other bloatware along with the driver itself. Most of the time, you can extract the installer's executable with 7-Zip to obtain the driver

  • It is recommended to update and install the following:

    • Network Interface Controller

      • If you do not have internet access at this stage, you will need to download your NIC driver from another device or dual-boot as they may not be packaged at all in some versions of Windows

    • USB and NVMe (if you are configuring Windows 7, both may have already been integrated in pre-install)

    • SATA (required on Windows 7 as enabling MSI on the stock SATA driver will result in a BSOD)

  • Other required drivers can be installed with Snappy Driver Installer Origin

Time, Language and Region

  • Configure settings by typing intl.cpl and timedate.cpl in Win+R

  • Windows 10+ Only

    • Configure settings in Time & Language by pressing Win+I

      • If you intend to exclusively use one language and keyboard layout, ensure that is the case in actuality so that you don't need to toggle the language bar hotkeys which can become intrusive otherwise as the hotkey can be accidentally pressed

Activate Windows

Use the commands below to activate Windows using your license key if you do not have one linked to your HWID. Ensure that the activation process was successful by verifying the activation status in computer properties. Open CMD as administrator and enter the commands below.

slmgr /ipk <license key>
slmgr /ato

Configure a Web Browser

Configure a browser of your choice.

Disable Residual Scheduled Tasks

Open PowerShell and enter the command below to disable various scheduled tasks. This is useful if you would like finer control as to what runs on your OS in the background.

C:\bin\disable-scheduled-tasks.ps1

Miscellaneous

  • Open CMD and enter the commands below

    • Optionally set the maximum password age to never expire to prevent Windows periodically asking to change or enter a password (1)

      net accounts /maxpwage:unlimited

    • Optionally clean the WinSxS folder to reduce the size of it (1). Note that this can be a lengthy process

      DISM /Online /Cleanup-Image /StartComponentCleanup /ResetBase

    • Optionally disable reserved storage (Windows 10 1903+)

      DISM /Online /Set-ReservedStorageState /State:Disabled

    • Configure the operating system name, it is recommended to set it to something meaningful or unique such has Windows 10 1803 Work or Windows 10 1803 Gaming for clarity when dual-booting. The partition label can also be renamed similarly for clarity

      bcdedit /set {current} description "OS_NAME"
      label C: "OS_NAME"

    • If an HDD isn't present in the system then Superfetch/Prefetch can be disabled with the command below. Disabling SysMain is in Microsoft's recommendations for configuring devices for real-time performance (1)

      reg add "HKLM\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d "4" /f

  • Configure the following by typing sysdm.cpl in Win+R:

    • Advanced -> Performance -> Settings - configure Adjust for best performance. If you have enough RAM for your applications, consider disabling the paging file for all drives to avoid unnecessary I/O and longer access times

    • System Protection - disable and delete system restore points. It has been proven to be unreliable (1)

  • Windows 8+ Only:

    • Disable all unnecessary permissions in the Privacy section by pressing Win+I

  • Windows Server+ Only:

    • In Server Manager, navigate to Manage -> Server Manager Properties and enable the option to prevent Server Manager from starting automatically

    • Set the Windows Audio and Windows Audio Endpoint Builder services startup type to automatic by typing services.msc in Win+R

    • Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy by typing gpedit.msc in Win+R and disable Password must meet complexity requirements

      • Open CMD and type gpupdate /force to apply the changes immediately

    • Navigate to Computer Configuration -> Administrative Templates -> System by typing gpedit.msc in Win+R and disable Display Shutdown Event Tracker to disable the shutdown prompt

    • To remove the user password, enter your current password and leave the new/confirm password fields blank in User Accounts by typing control userpasswords in Win+R

Install Runtimes

These are runtimes that are dependencies of applications worldwide.

Manage Appx Packages (Windows 8+)

  • Download and open AppxPackagesManager then remove everything that you don't need (which may be everything). It is usually fine to keep packages installed provided that they don't run in the background continually

  • Required packages for Microsoft Store. It may be a suitable idea to keep this as you can download applications in the future if desired although, you can download .appx packages directly and install them manually without the store, but this may become tedious. See here for more information

    • Microsoft.WindowsStore

  • Required packages for Xbox Game Bar. It is highly recommended keeping this package to access the Remember this is a game in Game Bar to resolve game detection issues

    • Microsoft.XboxGamingOverlay

  • Required packages for Xbox Game Pass

    • Microsoft.XboxIdentityProvider
    • Microsoft.Xbox.TCUI
    • Microsoft.StorePurchaseApp
    • Microsoft.GamingApp
    • Microsoft.WindowsStore
    • Microsoft.GamingServices
    • Microsoft.XboxGamingOverlay

Handle Bloatware

  • Open CMD and enter the command below to uninstall OneDrive

    for %a in ("SysWOW64" "System32") do (if exist "%windir%\%~a\OneDriveSetup.exe" ("%windir%\%~a\OneDriveSetup.exe" /uninstall)) && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f > nul 2>&1

  • Disable Chromium Microsoft Edge

    • The browser should be disabled instead of uninstalled to retain the WebView runtime

    • Download Autoruns and navigate to the Everything section then search for "edge". Disable every item that appears in the filtered results

    • Updating the browser will revert some changes made in the previous step. You can ensure that it does not update if it is opened accidentally with the command below. Ensure that there aren't any hidden Microsoft Edge process running in Task Manager

      rd /s /q "C:\Program Files (x86)\Microsoft\EdgeUpdate"

    • Open CMD and enter the command below to remove all related shortcuts

      for /f "delims=" %a in ('where /r C:\ *edge.lnk*') do (del /f /q "%a")

  • Uninstall any bloatware that exists by typing appwiz.cpl in Win+R

  • Windows 10+ Only:

    • If you would like to prevent GameBar.exe from running, disable Xbox Game Bar in settings or with the registry keys below

      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
      reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

    • In the start menu, uninstall the residual links for applications. Keep in mind that these applications aren't actually installed, they get installed only if the user clicks on them so do not accidentally click on them

    • Windows 10 Only:

      • Uninstall bloatware in Apps -> Apps and Features by pressing Win+I

      • In the Optional features section, uninstall everything that you don't need

    • Windows 11 Only:

      • Uninstall bloatware in Apps -> Installed apps by pressing Win+I

      • In the System -> Optional features section, uninstall everything that you don't need

  • If Windows Defender was disabled in the Merge the Registry Options step,smartscreen.exe ignores the registry key that controls whether it runs in the background persistently on later versions of Windows. For this reason, open CMD as TrustedInstaller with C:\bin\MinSudo.exe --TrustedInstaller --Privileged and enter the command below to remove the binary

    taskkill /f /im smartscreen.exe > nul 2>&1 & ren C:\Windows\System32\smartscreen.exe smartscreen.exee

  • You can use Task Manager to check for residual bloatware that is running in the background and possibly create an issue on the repository so that it can be reviewed

Install 7-Zip

Download and install 7-Zip. Open C:\Program Files\7-Zip\7zFM.exe then navigate Tools -> Options and associate 7-Zip with all file extensions by clicking the + button. You may need to click it twice to override existing associated extensions.

Configure the Graphics Driver

Configure MSI Afterburner

If you use MSI Afterburner, download and install it.

  • It is recommended to configure a static fan speed as using the fan curve feature requires the program to run continually

  • To automatically load profile 1 (as an example) at startup, the command below can be used at startup. See docs/startup-techniques.md

    "C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe" /Profile1 /Q

Display Resolutions and Scaling Modes

You may have already found a stable overclock for your display in the Physical Setup section which you can configure in this section.

  • Typically, you have the option of performing scaling on the GPU or display. Native resolution does not require scaling thus results in the identity scaling mode being used. Furthermore, identity scaling renders most of the scaling options in the GPU control panel obsolete. If you are using a non-native resolution, there is an argument for favoring display scaling due to less GPU processing

  • Aim for an actual integer refresh rate such as 60.00/240.00, not 59.94/239.76. Using the exact timing can help achieve this in Custom Resolution Utility

  • There are many ways to achieve the same outcome regarding GPU and display scaling. See the table in the link below for example scenarios

  • Try to delete every resolution and the other bloatware (audio blocks) apart from your native resolution in CRU. This may be a workaround for the ~1-second black screen when alt-tabbing while using the Hardware: Legacy Flip presentation mode

    • On systems with an NVIDIA GPU, ensure that the Display option for the Perform scaling on setting is still available. If it is not, then find out what change you made in CRU results in it not being accessible through trial and error. This can be accomplished by running reset.exe to reset the settings to default then re-configure CRU. After each change, run restart64.exe then check whether the option is still available

  • Ensure your resolution is configured properly by typing rundll32.exe display.dll,ShowAdapterSettings in Win+R

Install Open-Shell (Windows 8+)

  • Download and install Open-Shell. Only install the Open-Shell Menu

  • Settings:

    • General Behavior

      • Check for Windows updates on shutdown - Disable

  • Windows 8 Only:

    • Open "C:\Program Files\Open-Shell\Start Menu Settings.lnk", enable Show all settings then navigate to the Windows 8 Settings section and set Disable active corners to All

Spectre, Meltdown and CPU Microcode

Warning

🔒 Disabling Spectre and Meltdown may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting.

Optionally disable Spectre and Meltdown with InSpectre. This is an age old trick familiar amongst many however with newer platforms there may be a performance regression (1). Carry out the next steps with caution and ensure performance is positively scaling.

  • AMD is unaffected by Meltdown

  • A minority of anti-cheats (FACEIT) require Meltdown to be enabled

  • Open CMD as TrustedInstaller with C:\bin\MinSudo.exe --TrustedInstaller --Privileged and enter the commands below to remove the CPU microcode updates

    ren C:\Windows\System32\mcupdate_GenuineIntel.dll mcupdate_GenuineIntel.dlll
    ren C:\Windows\System32\mcupdate_AuthenticAMD.dll mcupdate_AuthenticAMD.dlll

  • Reboot and use InSpectre and CPU-Z's validation feature to check the status after a reboot

Install a Media Player

Configure Power Options

Open CMD and enter the commands below.

  • Set the active power scheme to High performance

    powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

  • Remove the Balanced power scheme

    powercfg /delete 381b4222-f694-41f0-9685-ff5bb260df2e

  • Remove the Power Saver power scheme

    powercfg /delete a1841308-3541-4fab-bc81-f71556f20b4a

  • USB 3 Link Power Management - Off

    powercfg /setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0

  • USB Selective Suspend - Disabled

    powercfg /setacvalueindex scheme_current 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0

  • Processor performance core parking min cores - 100

    • CPU parking is disabled by default in the High Performance power scheme (1). However on Windows 11+ with modern CPUs, parking is overridden and enabled. Users can determine whether CPUs are parked by typing resmon in Win+R. Apart from parking intended to be a power saving feature, videos such as this and this explain that it is the desired behavior for correct thread scheduling which is probably fine for the average user, but they do not account for the latency penalty of unparking cores (as with C-State transitions) along with kernel-mode activity (interrupts, DPCs). In terms of per-CPU scheduling, you can easily achieve the same outcome by managing per-CPU load manually (e.g. pin the real-time application to a single CCX/CCD or P-Cores) by configuring affinities with the advantage being no overhead from chipset drivers and Xbox processes constantly running in the background forcing unnecessary context switches. See the Per-CPU Scheduling section for more information

      powercfg /setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 0cc5b647-c1df-4637-891a-dec35c318583 100
      powercfg /setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 0cc5b647-c1df-4637-891a-dec35c318584 100

  • Processor performance time check interval - 5000

    • There are a handful of ntoskrnl power management DPCs that are scheduled at a periodic interval to re-evaluate P-States and parked cores. With a static CPU frequency and core parking disabled, these checks become obsolete thus unnecessary DPCs get scheduled. The Processor performance time check interval setting controls how often these checks are taken place so increasing the setting's value can reduce CPU overhead as significantly fewer DPCs are scheduled. For reference and at the time of checking, the Power Saver, Balanced, High performance power schemes have a default value of 200, 15 and 15 respectively. 5000 is the maximum accepted value. Of course, if a dynamic CPU frequency is used (e.g. Precision Boost Overdrive, Turbo Boost) and parking is enabled, the effects of increasing this value should be evaluated as cores may not be able to boost their frequency in response to workloads as the OS is evaluating the current scenario less often

      DPC Function Average DPC Rate Total DPCs
      15 200 5000 15 200 5000
      ntoskrnl!PpmPerfAction 15.45Hz 3.07Hz N/A 311 60 1
      ntoskrnl!PpmCheckRun 12.99Hz 2.29Hz N/A 262 46 1
      ntoskrnl!PpmCheckPeriodicStart 60.39Hz 4.99Hz 0.2Hz 1213 100 4 
      powercfg /setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 4d2b0152-7d5c-498b-88e2-34345392a2c5 5000

  • Set the active scheme as the current scheme

    powercfg /setactive scheme_current

Configure the BCD Store

Warning

🔒 Disabling DEP may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting.

Open CMD and enter the commands below.

  • Data Execution Prevention is set to Turn on for essential Windows programs and services only by default. However, DEP can be completely disabled with the command below but a minority of anti-cheats require DEP to be left on the default setting. Do not change if unsure

    bcdedit /set nx AlwaysOff

  • Windows 8+ Only

  • The command below can be used to revert to the Windows default if necessary

    bcdedit /deletevalue <option>

Replace Task Manager with Process Explorer

Task Manager lacks useful metrics compared to a tool such as Process Explorer. On Windows 8+, Task Manager reports CPU utility in % which provides misleading CPU utilization details (1). On the other hand, Windows 7's Task Manager and Process Explorer report time-based busy utilization. This also explains why disabling idle states within the OS results in 100% CPU utilization in Task Manager.

  • Download and extract Process Explorer

  • Copy procexp64.exe into a safe directory such as C:\Windows and open it

  • Navigate to Options and select Replace Task Manager. Optionally configure the following:

    • Confirm Kill

    • Allow Only One Instance

    • Always On Top (helpful for when applications crash and UI becomes unresponsive)

    • Enable the following columns for granular resource measurement metrics

      • Context Switch Delta (Process Performance)

      • CPU Cycles Delta (Process Performance)

      • Delta Reads (Process I/O)

      • Delta Writes (Process I/O)

      • Delta Other (Process I/O)

    • Enable the VirusTotal column

Disable Process Mitigations (Windows 10 1709+)

Warning

🔒 Disabling process mitigations may negatively impact security. Users should assess the security risk involved with modifying the mentioned setting.

Open CMD and enter the command below to disable process mitigations. Effects can be viewed with Get-ProcessMitigation -System in PowerShell.

C:\bin\disable-process-mitigations.bat

Configure Memory Management Settings (Windows 8+)

  • Open PowerShell and enter the command below

    Get-MMAgent

  • Use the command below as an example to disable a given setting. If you left Superfetch/Prefetch enabled in the Miscellaneous section, then you likely want the prefetching related features enabled

    Disable-MMAgent -MemoryCompression

Configure the Network Adapter

  • Open Network Connections by typing ncpa.cpl in Win+R

  • Disable any unused network adapters then right-click your main one and select Properties

  • Disable all items you don't require which typically is everything except QoS Packet Scheduler and Internet Protocol Version 4 (TCP/IPv4) for most consumers

  • Disable NetBIOS over TCP/IP for all network adapters in Internet Protocol Version 4 (TCP/IPv4) -> Properties -> General -> Advanced -> WINS to prevent unnecessary system listening (1)

Configure Audio Devices

  • The sound control panel can be opened by typing mmsys.cpl in Win+R

  • Disable unused Playback and Recording devices

  • Disable audio enhancements as they waste resources (1)

  • Optionally set the option in the communications tab to Do nothing to prevent automatic adjustment of audio levels between audio sources as this is an annoyance for the majority of users (1, 2)

  • Minimize the size of the audio buffer with REAL/LowAudioLatency or on your DAC (1). Beware of audio dropouts due to the CPU not being able to keep up under load

    • Be warned regarding CPUs being reserved or underutilized with the usage of the mentioned programs (1)

Configure Services and Drivers

Warning

💻 If you are configuring a system for general-purpose use such as for work or school, then skip this step as general compatibility is restricted.

Warning

🔒 Using minimal services may negatively impact security. This is due to security related feature services (e.g. firewall) getting disabled although as mentioned below, this is a temporary state in which these features will only be unavailable for a limited amount of time. Users should assess the security risk involved with modifying the mentioned setting.

I'm not responsible if anything goes wrong or you BSOD. The idea is to disable services while using your real-time application and revert to default services for everything else.

  • The list can be customized by editing C:\bin\minimal-services.ini in a text editor. There are several comments in the config file that you can read to check whether you need a given service or not. As an example, a user with Ethernet does not need the Wi-Fi services enabled. If you plan on editing minimal-services.ini, then learn the syntax of the config file

  • Configure a Static IP address. This is required as we will be disabling the services that waste resources which DHCP relies on

  • The High precision event timer device in Device Manager uses IRQ 0 on the majority of AMD systems and consequently conflicts with the System timer device which also uses IRQ 0. The only way that I'm aware of to resolve this conflict is to disable the parent device of the System timer device which is PCI standard ISA bridge by disabling the msisadrv driver (edit the config)

  • Use the command below to prevent the Software Protection service attempting to register a restart every 30s while services are disabled (1). I'm not sure what the problematic service is, but online sources point to Task Scheduler (1, 2)

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "InactivityShutdownDelay" /t REG_DWORD /d "4294967295" /f

  • On Win10 1503 - 1703, delete the ErrorControl registry key in HKLM\SYSTEM\CurrentControlSet\Services\Schedule to prevent an unresponsive explorer shell after disabling the Task Scheduler service

  • Download and extract the latest service-list-builder release. Open CMD and CD to the extracted folder where the executable is located

  • Use Autoruns to remove entries with a yellow label in the Services section to prevent errors with finding non-existent binaries in service-list-builder

  • Use the command below to build the scripts in the build folder. Move the build folder somewhere safe such as C:\ and do not share it with other people as it is specific to your system. Note that NSudo with the Enable All Privileges option is required to run the batch scripts

    service-list-builder.exe --config C:\bin\minimal-services.ini

    • If a warning regarding non-Windows services is encountered, assess the services in the warning message to determine whether you would like to keep them enabled by editing the configuration file or indeed want to disable them by using the --disable-service-warning argument. As an example, NVIDIA Display Container LS may show up in the warning as it is a non-Windows service but disabling it is intentional as we don't need access to the control panel after running Services-Disable.bat but have the ability to gain access to it after running Services-Enable.bat. In this case, using the argument to ignore the warning is appropriate. Another example is vgc which is required for Valorant's anti-cheat, so you wouldn't want to disable this hence it would be appropriate to add it to enabled_services in the config as it is a user-mode service

    • If you would like to rebuild the scripts, ensure to run the generated Services-Enable.bat script beforehand as the tool relies on the current state of services for building future scripts

  • If desired, you can use ServiWin to check for residual drivers after disabling services then possibly create an issue on the repository so that it can be reviewed

Debugging Services

For future reference, if something doesn't work after disabling services but works once services are re-enabled:

  • Short-term/Temporary Solution: Run Services-Enable.bat, do whatever you are trying to do, then run Services-Disable.bat again (that's the idea of having toggle scripts!). If the functionality is still broken after enabling services then the problem is not related to services

  • Long-term/Permanent Solution: If you absolutely need some functionality while services are disabled, then see the Debugging Services section in the documentation to determine what services are required for it. Note that this is only an option if that functionality works while services are enabled but breaks with services disabled. Once you have found what services are required for some functionality, you can contribute by posting an issue describing what functionality was fixed so that the services can be added to the config for the future

Configure Device Manager

Warning

💻 If you are configuring a system for general-purpose use such as for work or school, then skip the steps that involve disabling devices as general compatibility is restricted.

The section is directly related to the Configure Services and Drivers section. The methodology below will ensure maximum compatibility while services are enabled because devices with an associated driver will be toggled in the Services-Disable.bat script which means we do not need to permanently disable them.

  1. If you haven't disabled services at this stage, run the Services-Disable.bat script

  2. Open Device Manager by typing devmgmt.msc in Win+R

  3. DO NOT disable any devices with a yellow icon because these are the devices that are being handled by the Services-Disable.bat script

  4. Navigate to View -> Devices by type

    • In the Disk drives category, disable write-cache buffer flushing on all drives in the Properties -> Policies section

    • In the Network adapters category, navigate to Properties -> Advanced and disable any power-saving features

  5. Navigate to View -> Devices by connection

    • Disable any PCIe, SATA, NVMe and XHCI controllers and USB hubs with nothing connected to them

    • Disable everything that isn't the GPU on the same PCIe port

  6. Navigate to View -> Resources by connection

    • Disable any unneeded devices that are using an IRQ or I/O resources, always ask if unsure and take your time on this step

    • If there are multiple of the same devices, and you are unsure which one is in use, refer back to the tree structure in View -> Devices by connection. Remember that a single device can use many resources. You can also use MSI Utility to check for duplicate and unneeded devices in case you accidentally miss any with the confusing Device Manager tree structure

  7. Run the Services-Enable.bat script to continue with the rest of the guide. Remember to run the Services-Disable.bat script before running your real-time application for future reference

  8. Optionally use DeviceCleanup to remove hidden devices

Disable Driver Power-Saving

Open PowerShell and enter the command below to disable the Allow the computer to turn off this device to save power option for all applicable devices in Device Manager.

Re-plugging devices may cause this option to re-enable so either avoid doing so, run this command again or create a script to execute the command each time at startup as a precautionary measure. See docs/startup-techniques.md.

Get-WmiObject MSPower_DeviceEnable -Namespace root\wmi | ForEach-Object { $_.enable = $false; $_.psbase.put(); }

Configure Event Trace Sessions

Warning

💻 If you are configuring a system for general-purpose use such as for work or school, then skip this step as general compatibility is restricted.

Create registry files to toggle event trace sessions. Programs that rely on event tracers will not be able to log data until the required sessions are restored which is the purpose of creating two registry files to toggle between them (identical concept to the service scripts). Open CMD and enter the commands below to build the registry files in the C:\ directory. As with the services scripts these registry files must be run with NSudo. The sessions can be viewed by typing perfmon in Win+R then navigating to Data Collector Sets -> Event Trace Sessions.

  • ets-enable

    reg export "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger" "C:\ets-enable.reg"

  • ets-disable

    >> "C:\ets-disable.reg" echo Windows Registry Editor Version 5.00 && >> "C:\ets-disable.reg" echo. && >> "C:\ets-disable.reg" echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger]

  • Disable SleepStudy (UserNotPresentSession)

    for %a in ("SleepStudy" "Kernel-Processor-Power" "UserModePowerService") do (wevtutil sl Microsoft-Windows-%~a/Diagnostic /e:false)

Optimize the File System

Open CMD and enter the commands below.

Message Signaled Interrupts

Message signaled interrupts (MSIs) are faster than traditional line-based interrupts and may also resolve the issue of shared interrupts which are often the cause of high interrupt latency and stability (1).

  • Download and open MSI Utility or GoInterruptPolicy

  • MSIs can be enabled on devices that support it. It is worth noting that it may be in the developer's intention to not enable MSIs in the driver INF file hence MSIs will be disabled by default once the driver is installed. Namely, NVIDIA seems to selectively enable MSIs depending on the GPU architecture (1). Exercise with due care and carry out tests to determine whether said changes entail a positive impact on your system

    • You will BSOD if you enable MSIs for the stock Windows 7 SATA driver which you should have already updated as mentioned in the Install Drivers section

  • Be careful as to what you choose to prioritize. As an example, an I/O bound application may suffer a performance loss including an open-world game that utilizes texture streaming if the GPU IRQ priority is set higher than the storage controller priority. For this reason, you can set all devices to undefined/normal priority

  • Restart your PC, you can verify whether a device is utilizing MSIs by checking if it has a negative IRQ in MSI Utility

  • Although this was carried out in the Physical Setup section, confirm that there is no IRQ sharing on your system by typing msinfo32 in Win+R then navigating to the Conflicts/Sharing section

XHCI Interrupt Moderation (IMOD)

Warning

💻 If you are configuring a system for general-purpose use such as for work or school, then skip this step as it is not required.

On most systems, Windows 7 uses an IMOD interval of 1ms whereas recent versions of Windows use 0.05ms (50us) unless specified by the installed USB driver. This means that after an interrupt has been generated, the XHCI controller waits for the specified interval for more data to arrive before generating another interrupt which reduces CPU utilization but potentially results in data from a given device being supplied at an inconsistent rate in the event of expecting data from other devices within the waiting period that are connected to the same XHCI controller.

For example, a mouse with a 1kHz polling rate will report data every 1ms. While only moving the mouse with an IMOD interval of 1ms, interrupt moderation will not be taking place because interrupts are being generated at a rate less than or equal to the specified interval. Realistically while playing a fast-paced game, you will easily surpass 1000 interrupts/s with keyboard and audio interaction while moving the mouse hence there will be a loss of information because you will be expecting data within the waiting period from either devices. Although this is unlikely with an IMOD interval of 0.05ms (50us), it can still happen.

As an example, 1ms IMOD interval with an 8kHz mouse is already problematic because you are expecting data every 0.125ms which is significantly greater than the specified interval and of course, results in a major bottleneck (1).

  • See How to persistently disable XHCI Interrupt Moderation | BoringBoredom

  • Microsoft Vulnerable Driver Blocklist may need to be disabled with the command below in order to load the RWEverything driver however a handful of in-game anti-cheats do not adhere to disabling the blocklist (e.g. CS2, THE FINALS)

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Config" /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d "0" /f

  • In some cases, the interrupter index can change after a reboot meaning the address will become invalid if it is hard-coded. To work around this, you can simply disable IMOD for all interrupters by placing the XHCI-IMOD-Interval.ps1 script somewhere safe and launching it at startup. See docs/startup-techniques.md

    PowerShell C:\XHCI-IMOD-Interval.ps1

  • To determine whether changing the IMOD interval is taking effect, you can temporarily set the interval to 0xFA00 (62.5Hz). If the mouse cursor is visibly stuttering upon movement, then the changes are successfully taking effect

Configure Control Panel

It isn't a bad idea to skim through both the legacy and immersive control panel to ensure nothing is misconfigured.

Configuring Applications

  • Install any programs and configure your real-time applications to prepare us for the final steps

  • If applicable, favor portable editions of programs as installers tend to leave bloatware behind even after uninstalling them

NVIDIA Reflex

Consider using NVIDIA Reflex.

Framerate Limit

  • Cap your framerate at a multiple of your monitor refresh rate to prevent frame mistiming

  • Choose a value that is close to the minimum fps threshold for increased smoothness

  • Ensure that the GPU isn't fully utilized as lower GPU utilization reduces system latency (1, 2)

  • Capping your framerate with RTSS instead of the in-game limiter will result in consistent frame pacing and a smoother experience as it utilizes busy-wait which offers higher precision than 100% passive-waiting but at the cost of noticeably higher latency and potentially greater CPU overhead (1, 2). Disabling the Enable dedicated encoder server service setting prevents EncoderServer.exe from running

Presentation Mode

  • Always verify whether your real-time application is using the desired presentation mode with PresentMon

  • You can experiment and benchmark different presentation modes to assess which you prefer

  • If there are no results after searching for the application's binary name in HKCU\SYSTEM\GameConfigStore within registry, you may need to temporarily enable Xbox Game Bar in settings then tick the Remember this is a game option. Check whether the entry has been created under the aforementioned registry key

  • If you want to use the Hardware: Legacy Flip presentation mode, tick the Disable fullscreen optimizations checkbox. If that doesn't work, try running the commands below in CMD and reboot. These registry keys are typically accessed by the game and Windows upon launch

    reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
    reg add "HKCU\SYSTEM\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f

  • If you are stuck with Hardware Composed: Independent Flip and would like to use another presentation mode, try running the command below to disable MPOs in CMD and reboot

    reg add "HKLM\SOFTWARE\Microsoft\Windows\Dwm" /v "OverlayTestMode" /t REG_DWORD /d "5" /f

QoS Policies

Allows Windows to prioritize packets of an application.

Per-CPU Scheduling

Warning

💻 If you are configuring a system for general-purpose use such as for work or school, then skip this step as it is not required.

Kernel-Mode (Interrupts, DPCs and more)

Windows schedules interrupts and DPCs on CPU 0 for several modules by default. In any case, scheduling many tasks on a single CPU can introduce additional overhead and increased jitter due to them competing for CPU time. To alleviate this, affinities can be configured to isolate given modules from disturbances including servicing time-sensitive modules on underutilized CPUs instead of clumping everything on a single CPU.

  • Use the xperf DPC/ISR report generated by the xperf-dpcisr.bat script to analyze which CPUs kernel-mode modules are being serviced on. You can not manage affinities if you do not know what is running and which CPU(s) they are running on, the same applies to user-mode threads. Additionally, verify whether interrupt affinity policies are performing as expected by analyzing per-CPU usage for the module in question while the device is busy

  • Additionally, core-to-core-latency benchmarks can assist with decision-making in terms of affinity management

  • Ensure that the corresponding DPC for an ISR is processed on the same CPU. Additional overhead can be introduced if they are processed on different CPUs due to increased inter-processor communication and interfering with cache coherence

  • Use Microsoft Interrupt Affinity Tool or GoInterruptPolicy to configure driver affinities. The device can be identified by cross-checking the Location in the Properties -> General section of a device in Device Manager

GPU and DirectX Graphics Kernel

AutoGpuAffinity can be used to benchmark the most performant CPUs that the GPU-related modules are assigned to.

XHCI and Audio Controller

The XHCI and audio controller related modules generate a substantial amount of interrupts upon interaction respective of the relevant device. Isolating the related modules to an underutilized CPU is beneficial for reducing contention.

Network Interface Card

The NIC must support MSI-X for Receive Side Scaling to function properly (1). In most cases, RSS base CPU is enough to migrate DPCs and ISRs for the NIC driver which eliminates the need for an interrupt affinity policy. However, if you are having trouble migrating either to other CPUs, try configuring both simultaneously.

The command below can be used to configure RSS base CPU. Ensure to change the driver key to the one that corresponds to the correct NIC. Keep in mind that the amount of RSS queues determines the amount of consecutive CPUs that the network driver is scheduled on. For example, the driver will be scheduled on CPU 2/3/4/5 (2/4/6/8 with HT/SMT enabled) if RSS base CPU is set to 2 along with 4 RSS queues configured.

User-Mode (Processes, Threads)

There are several methods to set affinities for processes. One of which is Task Manager but only persists until the process is closed. A more popular and permanent solution is Process Lasso which allows the configuration to be saved, however a process must run continually in the background which introduces minor overhead. To work around this, you can simply launch the application with a specified CPU affinity which eliminates the requirement of programs such as Process Lasso for affinity management.

  • Use the CPU Affinity Mask Calculator to determine the desired hexal affinity bitmask

  • In some cases, process can be protected so specifying the affinity may fail. To work around this, you can try specifying the affinity for the parent processes which will cause the child process to inherit the affinity when spawned. As an example, a game launcher is usually the parent process of a game. Process Explorer's process tree can be used to identify parent and child processes

    • Process Hacker and WindowsD can bypass several process-level protections through exploits but is not advised as they interfere with anti-cheats

  • For modern Intel and AMD (3D V-Cache) systems, this step is especially required so read carefully. The points regarding manually managing per-CPU load in the Install Drivers and Configure Power Options sections will be discussed in the current and next section. ReservedCpuSets will be used as a technique to manually accomplish what the chipset drivers and default power options try to do out of the box. The advantages of manual management have already been discussed in the mentioned sections (minimizing overhead)

  • It may be worth benchmarking the performance scaling of your real-time application against core count as it may behave differently due to poor scheduling implementations from the application and/or OS. In some cases, it is possible that the application may perform better with fewer cores assigned to it via an affinity mask for several reasons. This will also give you a rough idea as to how many cores you can reserve in the Reserved CPU Sets step

Starting a Process with a Specified Affinity Mask

The command below starts notepad.exe with an affinity of CPU 1 and CPU 2 as an example which will reflect in Task Manager. This command can be placed in a batch script for easy access and must be used each time to start the desired application with the specified affinity.

start /affinity 0x6 notepad.exe

Specifying an Affinity Mask for Running Processes

Sometimes, the processes that you would like to set an affinity mask to are already running, so the previous command is not applicable here. As a random example, the command below sets the affinity mask of the svchost.exe and audiodg.exe processes to CPU 3. Use this example to create a PowerShell script then have it run at startup. See docs/startup-techniques.md.

Get-Process @("svchost", "audiodg") -ErrorAction SilentlyContinue | ForEach-Object { $_.ProcessorAffinity=0x8 }

Reserved CPU Sets (Windows 10+)

ReservedCpuSets can be used to prevent Windows routing interrupts and scheduling tasks on specific CPUs. As mentioned previously, isolating modules from user and kernel-level disturbances helps reduce contention, jitter and allows time-sensitive modules to get the CPU time they require.

  • As mentioned in the User-Mode (Processes, Threads) step, you should determine how well or poorly your application's performance scales with core count to give you a rough idea as to how many cores you can afford to reserve

  • As interrupt affinity policies, process and thread affinities have higher precedence, you can use this hand in hand with user-defined affinities to go a step further and ensure that nothing except what you assigned to specific CPUs will be scheduled on those CPUs

  • Ensure that you have enough cores to run your real-time application on and aren't reserving too many CPUs to the point where isolating modules does not yield real-time performance

  • As CPU sets are considered soft policies, the configuration isn't guaranteed. A CPU-intensive process such as a stress-test will utilize the reserved cores if required

Important

Unexpected behavior occurs when a process affinity is set to reserved and unreserved CPUs. Ensure to set the affinity to either reserved or unreserved CPUs, not a combination of both. See here for more information.

Use Cases

  • Hinting to the OS to schedule tasks on a group of CPUs. An example of this with modern platforms could be reserving E-Cores (efficiency cores) or either CCX/CCDs so that tasks are scheduled on P-Cores (performance cores) or other CCX/CCDs by default. With this approach, you can explicitly enforce background and unimportant tasks to be scheduled on the reserved CPUs. Note that this is purely an example and the logic can be flipped, but some latency-sensitive processes and modules are protected so affinity policies may fail which is a major limitation. See the User-Mode (Processes, Threads) section for more information. There are several possibilities and trade-offs to consider

  • Reserving CPUs that have specific modules assigned to be scheduled on them. For example, isolating the CPU that the GPU and XHCI driver is serviced on improved frame pacing (1)

Raise the Clock Interrupt Frequency (Timer Resolution)

Raising the timer resolution helps with precision where constant sleeping or pacing is required such as multimedia applications, framerate limiters and more. In an ideal world when relying on sleep-related functions to pace events, Sleep(n) should sleep for n milliseconds, not n plus an arbitrary number. If the delta between n and what you expect to sleep for in reality is large, events won't be paced as you would expect which can result in unexpected or undesirable behavior. This is especially apparent in sleep-based framerate limiters. Below is a list of bullet points highlighting key information regarding the topic.

  • Applications that require a high resolution already call for 1ms (1kHz) most of the time. In the context of a multimedia application, this means that it can maintain the pace of events within a resolution of 1ms, but we can take advantage of 0.5ms (2kHz) being the maximum resolution supported on most systems

  • The implementation of timer resolution changed in Windows 10 2004+ so that the calling process does not affect the system on a global level but can be restored on Windows Server and Windows 11+ with the registry key below as explained in depth here. In terms of the global behavior, you should have already chosen an appropriate Windows version after going through the What Version of Windows Should You Use? section. As long as the process that requires high precision is calling for a higher resolution, this does not matter. Although, it limits us from raising the resolution beyond 1ms (unless you have a kernel-mode driver or inject a DLL into the process which is a topic for another day)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"GlobalTimerResolutionRequests"=dword:00000001

  • Even if you do not want to raise the timer resolution beyond 1ms, it is useful to call for it nonetheless as old applications do not raise the resolution which results in unexpected behavior

  • Higher resolution results in higher precision, but in some cases 0.5ms provides less precision than something slightly lower such as 0.507ms. You should benchmark what calling resolution provides the highest precision (the lowest deltas) in the MeasureSleep program while requesting different resolutions with the SetTimerResolution program. This should be carried out under load as idle benchmarks may be misleading. The micro-adjust-benchmark.ps1 script can be used to automate the process

Analyze Event Viewer

Warning

💻 If you are configuring a system for general-purpose use such as for work or school, then skip this step as it is not required.

This step isn't required, but can help to justify unexplained performance issues. From a developer's perspective, we have certainly broken the operating system as we are running minimal services, debloated Windows and more. Code that naturally depends on something that is disabled or removed will throw errors or get stuck in an error loop. We can use event viewer to inspect whether everything is running as it should be. This is the method that was used to identify that the Software Protection service was attempting to register a restart every 30s as explained in the Configure Services and Drivers section along with a Google search that lead me to the solution.

  • Depending on your configuration, the Services-Disable.bat script that was generated in the Configure Services and Drivers section may have disabled logging, so the start values for Wecsvc and EventLog must be changed to their default values which can be found in the Services-Enable.bat script. Make a note of what the values currently are so that you can restore them later

  • Merge the ets-enable.reg file that was generated in the Configure Event Trace Sessions section as it is required for event logging

  • After running the script, use your PC normally for a while then open event viewer by typing eventvwr.msc in Win+R. Inspect each section for errors and investigate how they can be solved

  • Once finished, set the Wecsvc and EventLog start values back to their previous value in the Services-Disable.bat script

CPU Idle States/C-State 0

Disabling idle states force C-State 0, which can be seen in HWiNFO, and is in Microsoft's recommendations for configuring devices for real-time performance (1). Forcing C-State 0 mitigates the undesirable delay to execute new instructions on a CPU that has entered a deeper power-saving state at the expense of higher idle temperatures and power consumption. The CPU temperature should not increase to the point of thermal throttling because you should have already assessed that in docs/physical-setup.md. If a static CPU frequency is not set, the effects of forcing C-State 0 should be assessed in terms of frequency boosting behavior (e.g. Precision Boost Overdrive, Turbo Boost). Avoid disabling idle states with Hyper-Threading/Simultaneous Multithreading enabled as single-threaded performance is usually negatively impacted. The commands below can be used to toggle idle states.

Disable Idle States

powercfg /setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 1 && powercfg /setactive scheme_current

Enable Idle States (default)

powercfg /setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 0 && powercfg /setactive scheme_current

Cleanup

  • Use Autoruns to remove any unwanted programs from launching at startup

  • Some locations you may want to review for residual files

    • "C:\"

    • "C:\Windows\Prefetch"

    • "C:\Windows\Temp"

    • "%userprofile%\AppData\Local\Temp"

    • "%userprofile%\Downloads"

  • Configure Disk Cleanup

    • Open CMD and enter the command below, tick all the boxes except DirectX Shader Cache, press OK

      cleanmgr /sageset:0

    • Run Disk Cleanup

      cleanmgr /sagerun:0

  • For reference, the ScheduledDefrag task that was disabled in the Disable Residual Scheduled Tasks section executes the command below

    defrag -c -h -o -$

Final Thoughts and Tips

  • Favor tools such as Bulk-Crap-Uninstaller to uninstall programs as the regular control panel does not remove residual files

  • Kill processes that waste resources such as clients, explorer.exe and more

    • Use Ctrl+Shift+Esc to open process explorer then use File -> Run to start the explorer.exe shell again