Since you've been building a domain lab with Active Directory, DNS, and RDP, you are already ahead of most entry-level candidates. These questions focus on the "Level 1" basics: troubleshooting, customer service, and core networking.
1. "A user says their computer is 'slow.' How do you start troubleshooting?"
-
What they’re looking for: A logical process.
-
The Answer: Start by defining "slow" (Is it the internet? Is it an app? Is it booting up?). Open Task Manager to check for high CPU/Memory usage. Check for uptime—if it’s been on for 30 days, a restart is the first step.
2. "What is the difference between a Workgroup and a Domain?"
-
What they’re looking for: Understanding of centralized management.
-
The Answer: A Workgroup is decentralized; every PC manages its own users. A Domain (like your
labserver2022.local) is centralized; users and permissions are managed by a Domain Controller (Active Directory).
3. "A user can’t access a shared folder on the server. What do you check?"
-
What they’re looking for: Knowledge of permissions and connectivity.
- The Answer: 1. Check physical connectivity (can they ping the server?).
2. Check NTFS permissions vs. Share permissions.
3. Ensure the user is in the correct AD Group for that folder.
4. "How do you explain a technical issue to a non-technical user?"
-
What they’re looking for: Soft skills and empathy.
-
The Answer: Use analogies (like the post office for DNS/IPs). Avoid jargon. Instead of saying "Your DHCP lease expired," say "Your computer needs to request a new address from the network, and I'm going to refresh that for you."
5. "What is DNS, and what happens if it fails?"
-
What they’re looking for: Understanding of name resolution.
-
The Answer: DNS (Domain Name System) translates names like
google.cominto IP addresses. If it fails, users can’t reach websites by name, even if the internet is "working." You can test this usingnslookup.
6. "What is the purpose of a Default Gateway?"
-
What they’re looking for: Networking basics.
-
The Answer: It is the "exit door" for a local network. It’s the router's IP address that handles traffic destined for any address outside the local subnet (like the internet).
7. "A user's account is locked out. How do you fix it, and what do you investigate?"
-
What they’re looking for: Security awareness.
-
The Answer: Unlock the account in Active Directory Users and Computers. Investigate why it happened: Does the user have an old password saved on a mobile phone or a mapped drive (like your P: drive) that keeps trying to log in?
8. "What is the 'Blue Screen of Death' (BSOD), and how do you handle it?"
-
What they’re looking for: Hardware/Driver troubleshooting.
-
The Answer: It's a critical system error. I would note the Stop Code (e.g.,
CRITICAL_PROCESS_DIED), check for recently installed hardware/drivers, and try booting into Safe Mode to roll back changes.
9. "What is DHCP, and what is an APIPA address?"
-
What they’re looking for: Identifying "no connection" states.
-
The Answer: DHCP assigns IP addresses automatically. If a computer shows an address starting with 169.254.x.x, it has an APIPA address, meaning it couldn’t reach the DHCP server and has no network access.
10. "How do you handle an angry or frustrated caller?"
-
What they’re looking for: De-escalation skills.
-
The Answer: Let them vent first. Acknowledge their frustration ("I understand this is stopping you from doing your work"). Reassure them you are going to help, and keep them updated on what you are doing.
? Pro Tip for Your Interview
Mention your lab! When they ask about DNS or Active Directory, say: "In my home lab, I built a Windows Server 2022 domain where I configured DNS forwarders and managed RDP access via Group Policy." That one sentence proves you have hands-on experience most L1s don't.
Win11VM - Fault 1 – DNS:
Admin check:
Fault Scenario, Domain-Context Diagnosis/Action, Privilege Required, Escalation Decision
Networking & Connectivity
1, No Internet Access (DNS Client Disabled),"Diagnosis: You can successfully run ipconfig, and ping works to the gateway, but nslookup (or pinging a domain like google.com) fails. Admin (to modify services), Escalate. The service is stopped and locked down by the Domain/GPO. Your job is to report the stopped DnsClient service.
Normal Operation:
Proves DHCP and Web OK, Firewall on port 80 OK
PS C:\Windows\system32> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Win11VM
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-01-69-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1059:7018:a1d5:5042%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.105(Preferred)PS
Proves DNS OK
C:\Windows\system32> ping google.com
Pinging google.com [142.251.133.142] with 32 bytes of data:
Reply from 142.251.133.142: bytes=32 time=25ms TTL=118
Reply from 142.251.133.142: bytes=32 time=26ms TTL=118
Ping statistics for 142.251.133.142:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 26ms, Average = 24ms
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 12 December 2025 19:42:00 DHCP works
Lease Expires . . . . . . . . . . : 12 December 2025 21:42:00
Default Gateway . . . . . . . . . : 192.168.1.1 Internet probable
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 100668765
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-30-CD-DF-8A-00-15-5D-01-69-02
DNS Servers . . . . . . . . . . . : 192.168.1.1 DNS/DCHP on same server, a router likely
NetBIOS over Tcpip. . . . . . . . : Enabled
PS C:\Windows\system32> nslookup 8.8.8.8
Server: UnKnown
Address: 192.168.1.1
Name: dns.google Name resolution working
Address: 8.8.8.8
Tests Firewall in/out port 80 OK
PS C:\Windows\system32> Test-NetConnection -Port 80
ComputerName : internetbeacon.msedge.net MS gives a site not given in command
RemoteAddress : 13.107.4.52
RemotePort : 80
InterfaceAlias : Ethernet
SourceAddress : 192.168.1.105 host IP
TcpTestSucceeded : True Proves port 80 open incoming (reply)
WHAT TO LOOK FOR WHEN ANY OF THE ABOVE TESTS FAIL DNS
I could break these connections by turning off the DNS or DHCP Client in Services, or closing ports TCP 68 (dhcp client) and UDP 53 DNS in Windows Defender.
Other possible causes are :
Here are the additional ways DNS resolution can fail, resulting in the symptom of successful gateway ping but failed domain ping:
- Invalid DNS Server Address:
- Method: Manually configuring the Network Adapter properties (IPv4) with a DNS IP that is offline or incorrect.
- Tool: Network and Internet Settings/rightarrow Adapter properties.
- Manual Hosts File Entry:
- Method: Inserting a line in the hosts file to point a domain (e.g., google.com) to an unrouteable IP (e.g., 127.0.0.1).
- Tool: File Explorer (navigating to C:\Windows\System32\drivers\etc\hosts) and a text editor.
- Application-Specific Firewall Block:
- Method: Creating a Windows Defender Firewall rule to block the test tools like ping.exe (nasty on a tech test!!) from initiating any outbound connection so you would assume DNS not working!
- C:\Windows\SysWOW64 for ping.exe on a 64 bit sys. Sys32 program blocks wont work as they call 64 bit progs! It is necessary to block the ping.exe in WOW, but then it’s not guaranteed, as there are other methods win11 uses to create ICMP packets, so you would have to firewall ICMP packets, not block by program – which is bad domain policy practice across 1000s of PCS anyway. Why it is done by ICMP data blocks by firewall, not program blocks.
-
- Tool: Windows Defender Firewall with Advanced Security.
- Proxy Server Misconfiguration – search “proxy”:
- Method: Configuring the system to use an unreachable or invalid proxy server for network requests.
- Tool: Windows 11 Settings \ Network & Internet \ Proxy.
- IP Helper Service Disabled:
- Method: Stopping and disabling the IP Helper service, which assists with network tunnelling and modern name resolution processes.
- Tool: Services Console (services.msc).
2: Scenario:
Cannot Reach File Share (SMB Blocked),"Diagnosis: Attempting to reach a share fails, and tools like Test-NetConnection -Port 445 fail. Checking the Windows Firewall GUI confirms an active, blocking rule. Admin (to modify firewall) Escalate. You must confirm the blocking firewall rule, note that it requires Administrator access to delete, and escalate for removal."
FInd the port rule by searching by port number using “filter by State” – example below is port 4444
NB! If using a VM to connect to, it HAS to have an External Switch added to the real host´s net connector so it is on the same LAN! The default is a local switch on a 172.x.x LAN.
The Win firewall may also default the LAN connection to Public on the VM, so needs Private.
Sharing has to be on (LANMAN and Workstation services running) and a Share dir available.
Proof VM working - scanned from host:
PS C:\WINDOWS\system32> Test-NetConnection -ComputerName Win11VM -Port 445
ComputerName : Win11VM
RemoteAddress : fe80::1059:7018:a1d5:5042%48
RemotePort : 445
InterfaceAlias : vEthernet (Ext LAN Switch)
SourceAddress : fe80::f3cc:b65b:c017:30c0%48
TcpTestSucceeded : True
Running this locally shows if Sharing SMB port 445 and server are open:
PS C:\Windows\system32> Test-NetConnection -ComputerName Win11VM -Port 445
ComputerName : Win11VM
RemoteAddress : fe80::1059:7018:a1d5:5042%8
RemotePort : 445
InterfaceAlias : Ethernet
SourceAddress : fe80::1059:7018:a1d5:5042%8
TcpTestSucceeded : True
2, Cannot Reach File Share (SMB Blocked),"Diagnosis: Attempting to reach a share fails, and tools like Test-NetConnection -Port 445 fail. Checking the Windows Firewall GUI confirms an active, blocking rule. Admin (to modify firewall),"Escalate. You must confirm the blocking firewall rule, note that it requires Administrator access to delete, and escalate for removal."
Proof VM is working “True” - scanned from host or locally ON the VM host;
PS C:\WINDOWS\system32> Test-NetConnection -ComputerName Win11VM -Port 445
ComputerName : Win11VM
RemoteAddress : fe80::1059:7018:a1d5:5042%48
RemotePort : 445
InterfaceAlias : vEthernet (Ext LAN Switch)
SourceAddress : fe80::f3cc:b65b:c017:30c0%48
TcpTestSucceeded : True
I could break these by turning off the Sharing service "Server" or Workstation service in Services or closing port 445 inbound in Firewall or turn on Public Firewall (NoTrust) or turn off Network Discovery/File, Printer Sharing:
Additional Ways File Sharing (SMB) is Broken
- Local Security Policy - User/Share Permissions
This is the most common non-service/non-firewall issue and involves access control lists (ACLs).
- Fault: The share is visible, but the user gets an "Access Denied" error when trying to open it.
- L1 Checkpoint:
- Share Permissions: Right-click the folder, go to Properties > Sharing Tab > Advanced Sharing... > Permissions. ON THE ACTUAL VM, not the HOST!
-
- NTFS Security Permissions: Right-click the folder, go to Properties > Security Tab. ON THE SHARING VM and view the Effective Perms, as it is better than just NTFS perms.
- Misconfiguration: The user's account (or the group they belong to) is missing either Share Permissions OR NTFS Security Permissions. A user must have both sets of permissions to access the files.
- Incorrect Network Location (The "NoTrust" Issue)
This relates to your point about the Public profile, but from the perspective of how the PC is currently classified.
- Fault: Network Discovery is on, the firewall allows sharing, but the PC is treating the network as hostile.
- L1 Checkpoint: Check the current network profile classification.
- How to check: Settings > Network & Internet > Properties (of the connected adapter).
Network Cat.: Private above, or:
PS C:\WINDOWS\system32> Get-NetConnectionProfile
Name : Planta1_5G
InterfaceAlias : vEthernet (Ext LAN Switch)
InterfaceIndex : 14
NetworkCategory : Private IF Public, it would be blocked due to No Trust setting
DomainAuthenticationKind : None Shows No Domain attachment
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic
- Misconfiguration: The network is incorrectly set to Public when it should be Private. Changing a network from Public to Private in Windows 11 enables Network Discovery and the default File Sharing rules (if not overridden by GPO!).
- IP/DNS Resolution Failure
If the client machine can't translate the server name to an IP address, it can't initiate the SMB connection.
- Fault: Client cannot connect using the server's name (\\SERVERNAME\share), but can connect using the IP address (\\192.168.x.x\share).
- L1 Checkpoint: Use the DNS diagnostic tools we discussed previously.
- Tools: nslookup SERVERNAME or ping SERVERNAME.
REALITY: nslookup fails on a workgroup for the VM as it uses DNS, which is not available from the wifi router. SO, nslookup asks the wifi router for the VM name, and the router asks a real DNS server on the Internet, which is why the name fails with "Server: UnKnown ":
PS C:\WINDOWS\system32> nslookup Win11VM
Server: UnKnown
Address: 192.168.1.1 *** UnKnown can't find Win11VM: Non-existent domain
Test-NetConnection however, succeeds with workgroup name res:
PS C:\WINDOWS\system32> Test-NetConnection Win11VM -Port 445 -InformationLevel Detailed
ComputerName : Win11VM
RemoteAddress : fe80::1059:7018:a1d5:5042%14
RemotePort : 445
NameResolutionResults : fe80::1059:7018:a1d5:5042%14 192.168.1.102
MatchingIPsecRules :
NetworkIsolationContext : Private Network
InterfaceAlias : vEthernet (Ext LAN Switch)
SourceAddress : fe80::f3cc:b65b:c017:30c0%14
NetRoute (NextHop) : ::
TcpTestSucceeded : True
- Misconfiguration: The DNS server is unavailable, the DnsClient service is stopped, or the client machine is misconfigured to look at the wrong DNS server.
- Client-Side SMB Feature Disabled
While rare, a system update or administrator script could have disabled the client-side feature needed to talk to the share.
- Fault: All other network services work, but the machine cannot browse or connect to any remote shares.
- L1 Checkpoint: Check the installed Windows Features.
- Tools: Control Panel > Programs > Turn Windows features on or off.
- Misconfiguration: The feature SMB 1.0/CIFS Client (for older shares) or the core SMB functionality is disabled in Windows Features. While most systems use SMB 3.0 by default, this is a point of failure for legacy systems.
For L1 purposes, focusing on Network Profile/Discovery, DNS resolution, and Share/NTFS Permissions (in addition to the Firewall and Service state) covers all common reasons for SMB connectivity failures.
- User Experience & Profile
3, Slow Startup/Login (Delayed App Launch),"Diagnosis: You check Task Manager’s Startup tab or Task Scheduler and find a non-system application (e.g., TEST_DELAY_STARTUP) set to run with a delay at log on for the current user. User (for the current profile),The process is tied to your user's profile and does not affect the system. Disable or delete the task/entry.
Open Taskmanager/startup apps: disable all apps and reboot
Look for slow Startup culprits also in Task Scheduler;
4, File Associations Broken (.txt opens in WordPad),"Diagnosis: You attempt to open a file, and the wrong application launches. User (for the current profile), Changing the default app is a user profile setting. Fix via Settings > Default Apps.
OR right click the file icon an use Open with/choose another App…browse to correct App for the file:
5, Hidden Desktop Icons "Diagnosis: The desktop is blank, missing standard icons like Recycle Bin and My PC."
The Show Desktop icon is a stupid, near invisible line until hovered, at far right of Taskbar!
Right-click on a blank area of the Desktop.
Select Personalize.
In the Personalization settings, scroll down or navigate to Themes.
Under "Related Settings," click on Desktop icon settings.
This opens a small dialog box where the technician can place a checkmark next to: Computer, User's Files, Network, Recycle Bin, and Control Panel.
- System and Performance
6, Disk Space Warning (Massive temporary files),"Diagnosis: You verify the low disk space and locate the large, non-system files (e.g., TEST_JUNK_FILES.tmp) in the user's personal profile (Documents, Downloads)."User (to delete personal files), You can delete files within your own profile space without Admin rights. Delete the large test file. Run Disk Clean:
7, System Failure Setting (No Auto-Restart – PC hung after a crash, but does not auto restart as is normal default),"Diagnosis: You check System Properties: (System/About/Advanced System Protect Settings/startup and recovery settings. Check Auto restart box)
Admin (to change system properties), Escalate. This is a system-wide setting often managed by GPO. Your job is to document the incorrect configuration and escalate for the change.
This setting refers to a configuration that dictates what the operating system should do immediately after it encounters a critical, unrecoverable error (a "System Failure," typically resulting in a Blue Screen of Death, or BSOD).
It is used to create a specific, stable state for troubleshooting and testing.
Context and Purpose of the Fault Setting
- Location of the Setting
This setting is found in the System Properties of Windows, specifically under the Startup and Recovery section.
- (Run box: sysdm.cpl > Advanced tab > Startup and Recovery > Settings)
- The Fault State Defined
The term "System Failure Setting (No Auto-Restart)" refers to UNCHECKING the box labeled:
- "Automatically restart"
When this setting is disabled (unchecked) by a GPO, the system will hang on a Blue Screen of Death (BSOD) rather than automatically rebooting.
Here are the primary reasons a corporate domain would enforce this:
- Mandatory Crash Data Collection (The Primary Reason)
In mission-critical or highly monitored environments, IT Operations needs the machine to stay on the BSOD screen for several reasons:
- Memory Dump Completion: The machine needs time to write a full memory dump to the disk. Automatic, immediate restart can interrupt or corrupt this critical process, making the dump useless for root-cause analysis (RCA).
- Visual Confirmation: The BSOD screen contains the Stop Code (e.g., IRQL_NOT_LESS_OR_EQUAL). The Operations Center (NOC) or an L2/L3 technician may need to read this code visually if remote access or logging has failed.
- Audit Trail: By forcing a manual restart, IT ensures there's a human being documenting the event, time, and stop code before the system attempts recovery.
- Compliance and Operational Readiness
In certain high-security or regulated industries (Finance, Healthcare, Defense), systems must be manually brought back online:
- Physical Security: A system failure on a secure terminal might require physical verification of the user before allowing the machine to be brought back online and re-authenticating to the network.
- System Integrity: Automatic reboot can sometimes mask a deeper underlying hardware failure. By forcing a manual restart, IT confirms that the machine is physically acknowledged and checked before being returned to service.
- Monitoring and Alerting Integrity
If a critical server or desktop crashes and immediately restarts, it creates a gap in the monitoring history.
- Alert Generation: If the machine remains on the BSOD, it gives the monitoring systems (like System Center Operations Manager - SCOM) time to log and alert on the state change (the crash event) before the machine goes offline for the reboot cycle.
- Preventing Loops: In rare cases, a bad driver or software issue can cause an endless loop of crashing, rebooting, and crashing again. Disabling auto-restart stops this loop immediately, preventing unnecessary wear and tear or network chatter.
8, Missing System Tool (msconfig.exe renamed),"Diagnosis: The user runs msconfig from the Run box and gets an “Application not found “ error. You confirm that other system files run fine. You advise using an alternative tool or the full path. Admin (to modify System32),"Escalate. Although you can work around the issue (e.g., by knowing the file's new name), renaming files in the C:\Windows\System32 directory requires Admin privileges and is an escalation."
655 Win *.exe Tools in Sys32 folder:
stevee@laptop:/mnt/c/Windows/System32$ ls -l *.exe | wc -l
655
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
-r-xr-xr-x 2 stevee stevee 888832 Dec 9 14:46 AgentService.exe
-r-xr-xr-x 2 stevee stevee 315392 Dec 9 14:47 AggregatorHost.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 AppHostRegistrationVerifier.exe
-r-xr-xr-x 2 stevee stevee 79272 Dec 9 14:46 AppInstallerBackgroundUpdate.exe
-r-xr-xr-x 2 stevee stevee 791976 Dec 9 14:46 AppVClient.exe
-r-xr-xr-x 3 stevee stevee 193920 Nov 4 08:06 AppVDllSurrogate.exe
-r-xr-xr-x 3 stevee stevee 185664 Dec 12 2024 AppVNice.exe
-r-xr-xr-x 3 stevee stevee 234928 Dec 12 2024 AppVShNotify.exe
-r-xr-xr-x 2 stevee stevee 96496 Dec 9 14:47 ApplicationFrameHost.exe
-r-xr-xr-x 2 stevee stevee 819200 Dec 9 14:46 ApplySettingsTemplateCatalog.exe
-r-xr-xr-x 2 stevee stevee 1360888 Dec 9 14:46 ApplyTrustOffline.exe
-r-xr-xr-x 2 stevee stevee 258048 Dec 9 14:47 ApproveChildRequest.exe
-r-xr-xr-x 2 stevee stevee 135168 Dec 9 14:46 AssignedAccessGuard.exe
-r-xr-xr-x 2 stevee stevee 147456 Dec 9 14:46 AtBroker.exe
-r-xr-xr-x 2 stevee stevee 158456 Nov 13 11:33 AuthHost.exe
-r-xr-xr-x 2 stevee stevee 1556480 Dec 9 14:47 AutoCatHost.exe
-r-xr-xr-x 3 stevee stevee 86016 Dec 12 2024 AxInstUI.exe
-r-xr-xr-x 2 stevee stevee 61440 Apr 1 2024 BackgroundTransferHost.exe
-r-xr-xr-x 2 stevee stevee 155648 Apr 1 2024 BdeHdCfg.exe
-r-xr-xr-x 3 stevee stevee 86016 Nov 13 11:33 BdeUISrv.exe
-r-xr-xr-x 2 stevee stevee 679120 Dec 9 14:47 BioIso.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:47 BitLockerDeviceEncryption.exe
-r-xr-xr-x 3 stevee stevee 126976 Dec 12 2024 BitLockerWizard.exe
-r-xr-xr-x 3 stevee stevee 126976 Dec 12 2024 BitLockerWizardElev.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 9 14:46 ByteCodeGenerator.exe
-r-xr-xr-x 2 stevee stevee 65536 Sep 14 18:13 CIDiag.exe
-r-xr-xr-x 3 stevee stevee 63336 Dec 12 2024 CameraSettingsUIHost.exe
-r-xr-xr-x 2 stevee stevee 92384 Nov 13 11:32 CastSrv.exe
-r-xr-xr-x 2 stevee stevee 122880 Dec 9 14:47 CertEnrollCtrl.exe
-r-xr-xr-x 3 stevee stevee 69632 Dec 12 2024 CheckNetIsolation.exe
-r-xr-xr-x 2 stevee stevee 382360 Dec 9 14:46 CiTool.exe
-r-xr-xr-x 2 stevee stevee 143360 Dec 9 14:46 ClipDLS.exe
-r-xr-xr-x 2 stevee stevee 144768 Dec 9 14:46 ClipRenew.exe
-r-xr-xr-x 2 stevee stevee 1146048 Dec 9 14:46 ClipUp.exe
-r-xr-xr-x 2 stevee stevee 95616 Dec 9 14:46 CloudExperienceHostBroker.exe
-r-xr-xr-x 2 stevee stevee 113024 Dec 9 14:46 CloudNotifications.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 12 2024 CompMgmtLauncher.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 9 14:46 CompPkgSrv.exe
-r-xr-xr-x 2 stevee stevee 895320 Dec 9 14:46 CompatTelRunner.exe
-r-xr-xr-x 2 stevee stevee 73728 Dec 9 14:46 ComputerDefaults.exe
-r-xr-xr-x 2 stevee stevee 447720 Dec 9 14:46 CredentialEnrollmentManager.exe
-r-xr-xr-x 2 stevee stevee 216328 Dec 9 14:46 CredentialUIBroker.exe
-r-xr-xr-x 2 stevee stevee 163840 Dec 9 14:46 CustomInstallExec.exe
-r-xr-xr-x 2 stevee stevee 1716224 Dec 9 14:47 CustomShellHost.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 12 2024 DFDWiz.exe
-r-xr-xr-x 2 stevee stevee 1191936 Dec 9 14:46 DXCap.exe
-r-xr-xr-x 2 stevee stevee 454656 Dec 9 14:46 DXCpl.exe
-r-xr-xr-x 2 stevee stevee 267664 Dec 9 14:46 DataExchangeHost.exe
-r-xr-xr-x 2 stevee stevee 200704 Dec 9 14:47 DataStoreCacheDumpTool.exe
-r-xr-xr-x 2 stevee stevee 241664 Sep 14 18:13 Defrag.exe
-r-xr-xr-x 2 stevee stevee 152976 Dec 9 14:46 DeviceCensus.exe
-r-xr-xr-x 2 stevee stevee 122880 Dec 9 14:47 DeviceCredentialDeployment.exe
-r-xr-xr-x 2 stevee stevee 49152 Apr 1 2024 DeviceEject.exe
-r-xr-xr-x 2 stevee stevee 565248 Dec 9 14:46 DeviceEnroller.exe
-r-xr-xr-x 2 stevee stevee 122880 Dec 9 14:46 DevicePairingWizard.exe
-r-xr-xr-x 2 stevee stevee 94208 Apr 1 2024 DeviceProperties.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 12 2024 DiskSnapshot.exe
-r-xr-xr-x 2 stevee stevee 329128 Sep 14 18:13 Dism.exe
-r-xr-xr-x 2 stevee stevee 1877392 Dec 12 2024 DisplaySwitch.exe
-r-xr-xr-x 2 stevee stevee 53248 Apr 1 2024 DmNotificationBroker.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 9 14:46 DmOmaCpMo.exe
-r-xr-xr-x 2 stevee stevee 102400 Apr 1 2024 DpiScaling.exe
-r-xr-xr-x 3 stevee stevee 57344 Jun 11 2025 DsmUserTask.exe
-r-xr-xr-x 2 stevee stevee 311296 Dec 9 14:46 Dxpserver.exe
-r-xr-xr-x 2 stevee stevee 94208 Dec 9 14:47 EASPolicyManagerBrokerHost.exe
-r-xr-xr-x 2 stevee stevee 167936 Dec 9 14:46 EDPCleanup.exe
-r-xr-xr-x 2 stevee stevee 1245304 Dec 13 2023 ETDCtrl.exe
-r-xr-xr-x 2 stevee stevee 402040 Dec 13 2023 ETDCtrlHelper.exe
-r-xr-xr-x 2 stevee stevee 202360 Dec 13 2023 ETDService.exe
-r-xr-xr-x 3 stevee stevee 40960 Nov 13 11:33 Eap3Host.exe
-r-xr-xr-x 2 stevee stevee 323584 Dec 9 14:47 EaseOfAccessDialog.exe
-r-xr-xr-x 2 stevee stevee 143360 Dec 9 14:47 EduPrintProv.exe
-r-xr-xr-x 2 stevee stevee 151552 Dec 12 2024 EhStorAuthn.exe
-r-xr-xr-x 2 stevee stevee 176128 Dec 9 14:46 EoAExperiences.exe
-r-xr-xr-x 2 stevee stevee 278528 Dec 9 14:46 FXSCOVER.exe
-r-xr-xr-x 2 stevee stevee 716800 Dec 9 14:46 FXSSVC.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:46 FXSUNATD.exe
-r-xr-xr-x 2 stevee stevee 159744 Dec 9 14:47 FileDialogBroker.exe
-r-xr-xr-x 2 stevee stevee 258048 Dec 9 14:46 FileHistory.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 Fondue.exe
-r-xr-xr-x 2 stevee stevee 137840 Dec 9 14:47 FsIso.exe
-r-xr-xr-x 2 stevee stevee 372736 Dec 9 14:46 GameBarPresenceWriter.exe
-r-xr-xr-x 2 stevee stevee 80216 Dec 9 14:46 GameInputSvc.exe
-r-xr-xr-x 2 stevee stevee 1335296 Dec 9 14:47 GamePanel.exe
-r-xr-xr-x 2 stevee stevee 658480 Jun 11 2025 GenValObj.exe
-r-xr-xr-x 1 stevee stevee 144680 Feb 17 2022 HPMUIDir.exe
-r-xr-xr-x 2 stevee stevee 557056 Dec 9 14:46 IESettingSync.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 9 14:47 ISM.exe
-r-xr-xr-x 2 stevee stevee 36864 Apr 1 2024 InfDefaultInstall.exe
-r-xr-xr-x 2 stevee stevee 135168 Dec 9 14:46 InputSwitchToastHandler.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:46 LanguageComponentsInstallerComHandler.exe
-r-xr-xr-x 3 stevee stevee 32768 Nov 13 11:32 LaunchTM.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:47 LaunchWinApp.exe
-r-xr-xr-x 2 stevee stevee 225280 Dec 9 14:47 LegacyNetUXHost.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:47 LicenseManagerShellext.exe
-r-xr-xr-x 4 stevee stevee 174904 Dec 12 2024 LicensingUI.exe
-r-xr-xr-x 2 stevee stevee 188416 Dec 9 14:46 LiveCaptions.exe
-r-xr-xr-x 2 stevee stevee 32768 Apr 1 2024 Locator.exe
-r-xr-xr-x 2 stevee stevee 100632 Dec 9 14:46 LockAppHost.exe
-r-xr-xr-x 2 stevee stevee 75832 Jul 8 14:39 LockScreenContentServer.exe
-r-xr-xr-x 2 stevee stevee 81920 Dec 9 14:46 LogonUI.exe
-r-xr-xr-x 2 stevee stevee 398136 Dec 9 14:47 LsaIso.exe
-r-xr-xr-x 2 stevee stevee 479232 Dec 9 14:46 MDEServer.exe
-r-xr-xr-x 2 stevee stevee 176128 Dec 9 14:47 MDMAgent.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:47 MDMAppInstaller.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:47 MLEngineStub.exe
-r-xr-xr-x 1 stevee stevee 218369424 Dec 9 17:52 MRT.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 MSchedExe.exe
-r-xr-xr-x 2 stevee stevee 835584 Dec 9 14:46 Magnify.exe
-r-xr-xr-x 2 stevee stevee 110592 Sep 14 18:13 MdRes.exe
-r-xr-xr-x 2 stevee stevee 155648 Dec 9 14:47 MdSched.exe
-r-xr-xr-x 2 stevee stevee 90112 Dec 9 14:46 MdmDiagnosticsTool.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:46 Microsoft.Data.UsageAndQualityInsights.MaintenanceTask.exe
-r-xr-xr-x 2 stevee stevee 339968 Dec 9 14:46 Microsoft.Uev.CscUnpinTool.exe
-r-xr-xr-x 3 stevee stevee 83968 Dec 12 2024 Microsoft.Uev.SyncController.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 9 14:46 MicrosoftEdgeBCHost.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 9 14:46 MicrosoftEdgeCP.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 9 14:46 MicrosoftEdgeDevTools.exe
-r-xr-xr-x 2 stevee stevee 81920 Dec 9 14:46 MicrosoftEdgeSH.exe
-r-xr-xr-x 2 stevee stevee 593920 Dec 9 14:46 MidiSrv.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:47 MoNotificationUxStub.exe
-r-xr-xr-x 1 stevee stevee 918944 Mar 20 2024 MpSigStub.exe
-r-xr-xr-x 2 stevee stevee 166720 Dec 9 14:47 MptfGenericService.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 9 14:47 MsSpellCheckingHost.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 9 14:46 MuiUnattend.exe
-r-xr-xr-x 3 stevee stevee 81920 Dec 12 2024 MultiDigiMon.exe
-r-xr-xr-x 2 stevee stevee 58800 Dec 12 2024 NDKPerfCmd.exe
-r-xr-xr-x 2 stevee stevee 58800 Dec 12 2024 NDKPing.exe
-r-xr-xr-x 2 stevee stevee 1130496 Dec 9 14:47 Narrator.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 9 14:47 NetCfgNotifyObjectHost.exe
-r-xr-xr-x 3 stevee stevee 57344 Dec 12 2024 NetEvtFwdr.exe
-r-xr-xr-x 2 stevee stevee 36864 Apr 1 2024 NetHost.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:47 Netplwiz.exe
-r-xr-xr-x 2 stevee stevee 741104 Dec 9 14:47 NgcIso.exe
-r-xr-xr-x 2 stevee stevee 40960 Dec 12 2024 OOBEFodSetup.exe
-r-xr-xr-x 2 stevee stevee 89771848 Sep 14 18:13 OneDriveSetup.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 9 14:47 OobeShellHost.exe
-r-xr-xr-x 2 stevee stevee 183272 Dec 9 14:47 OpenWith.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 OptionalFeatures.exe
-r-xr-xr-x 2 stevee stevee 106496 Mar 12 2025 PackageInspector.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:46 PackagedCWALauncher.exe
-r-xr-xr-x 2 stevee stevee 92352 Dec 9 14:47 PasswordOnWakeSettingFlyout.exe
-r-xr-xr-x 2 stevee stevee 179112 Dec 9 14:47 PickerHost.exe
-r-xr-xr-x 2 stevee stevee 135168 Dec 9 14:47 PinEnrollmentBroker.exe
-r-xr-xr-x 2 stevee stevee 294912 Dec 9 14:47 PkgMgr.exe
-r-xr-xr-x 2 stevee stevee 701840 Dec 9 14:47 PktMon.exe
-r-xr-xr-x 2 stevee stevee 77824 Apr 1 2024 PnPUnattend.exe
-r-xr-xr-x 2 stevee stevee 278528 Apr 12 2025 PresentationHost.exe
-r-xr-xr-x 2 stevee stevee 258048 Dec 9 14:47 PresentationSettings.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 PrintBrmUi.exe
-r-xr-xr-x 2 stevee stevee 122880 Dec 9 14:47 PrintIsolationHost.exe
-r-xr-xr-x 2 stevee stevee 286584 Dec 9 14:47 ProximityUxHost.exe
-r-xr-xr-x 2 stevee stevee 593920 Jun 11 2025 RMActivate.exe
-r-xr-xr-x 2 stevee stevee 622592 Jun 11 2025 RMActivate_isv.exe
-r-xr-xr-x 2 stevee stevee 524288 Jun 11 2025 RMActivate_ssp.exe
-r-xr-xr-x 2 stevee stevee 524288 Jun 11 2025 RMActivate_ssp_isv.exe
-r-xr-xr-x 2 stevee stevee 81920 Dec 12 2024 RdpSa.exe
-r-xr-xr-x 2 stevee stevee 65536 Dec 12 2024 RdpSaProxy.exe
-r-xr-xr-x 2 stevee stevee 61440 Nov 13 11:33 RdpSaUacHelper.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 9 14:47 ReAgentc.exe
-r-xr-xr-x 2 stevee stevee 2195456 Dec 9 14:47 ReFsDedupSvc.exe
-r-xr-xr-x 2 stevee stevee 356352 Dec 9 14:47 RecoveryDrive.exe
-r-xr-xr-x 2 stevee stevee 53248 Apr 1 2024 Register-CimProvider.exe
-r-xr-xr-x 2 stevee stevee 266240 Dec 9 14:47 RelPost.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 RemotePosWorker.exe
-r-xr-xr-x 2 stevee stevee 42368 Dec 9 14:47 ResetEngine.exe
-r-xr-xr-x 3 stevee stevee 45056 Apr 12 2025 RmClient.exe
-r-xr-xr-x 2 stevee stevee 204800 Dec 9 14:47 Robocopy.exe
-r-xr-xr-x 2 stevee stevee 57344 Dec 12 2024 RpcPing.exe
-r-xr-xr-x 2 stevee stevee 53248 Dec 9 14:47 RunLegacyCPLElevated.exe
-r-xr-xr-x 2 stevee stevee 133672 Dec 9 14:46 RuntimeBroker.exe
-r-xr-xr-x 1 stevee stevee 368608 Mar 7 2022 SECCNH64.exe
-r-xr-xr-x 1 stevee stevee 1412584 Mar 7 2022 SECOCL64.exe
-r-xr-xr-x 1 stevee stevee 743400 Mar 7 2022 SECOMN64.exe
-r-xr-xr-x 2 stevee stevee 552728 Dec 9 14:47 SIHClient.exe
-r-xr-xr-x 3 stevee stevee 22984 Dec 12 2024 ScriptRunner.exe
-r-xr-xr-x 2 stevee stevee 516096 Dec 9 14:47 SearchFilterHost.exe
-r-xr-xr-x 2 stevee stevee 1007616 Dec 9 14:47 SearchIndexer.exe
-r-xr-xr-x 2 stevee stevee 704512 Dec 9 14:47 SearchProtocolHost.exe
-r-xr-xr-x 2 stevee stevee 73728 Nov 13 11:33 SecEdit.exe
-r-xr-xr-x 2 stevee stevee 120192 Dec 9 14:47 SecurityHealthHost.exe
-r-xr-xr-x 2 stevee stevee 146120 Dec 9 14:47 SecurityHealthService.exe
-r-xr-xr-x 2 stevee stevee 270336 Dec 9 14:47 SecurityHealthSystray.exe
-r-xr-xr-x 2 stevee stevee 1191936 Dec 9 14:47 SensorDataService.exe
-r-xr-xr-x 2 stevee stevee 102400 Dec 9 14:47 SensorRuntimeBroker.exe
-r-xr-xr-x 2 stevee stevee 1765840 Dec 9 14:47 ShellAppRuntime.exe
-r-xr-xr-x 2 stevee stevee 561152 Dec 9 14:47 ShellHost.exe
-r-xr-xr-x 2 stevee stevee 42696 Apr 1 2024 SlideToShutDown.exe
-r-xr-xr-x 2 stevee stevee 311336 Dec 9 14:46 SndVol.exe
-r-xr-xr-x 2 stevee stevee 229376 Dec 9 14:47 SpaceAgent.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:46 SpatialAudioLicenseSrv.exe
-r-xr-xr-x 2 stevee stevee 81920 Apr 1 2024 SrTasks.exe
-r-xr-xr-x 2 stevee stevee 71064 Dec 9 14:46 SyncAppvPublishingServer.exe
-r-xr-xr-x 2 stevee stevee 69632 Sep 14 18:13 SyncHost.exe
-r-xr-xr-x 2 stevee stevee 75168 Dec 9 14:47 SysResetErr.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesAdvanced.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesComputerName.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesDataExecutionPrevention.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesHardware.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesPerformance.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesProtection.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 SystemPropertiesRemote.exe
-r-xr-xr-x 2 stevee stevee 803064 Dec 9 14:47 SystemSettingsAdminFlows.exe
-r-xr-xr-x 2 stevee stevee 236984 Dec 9 14:47 SystemSettingsBroker.exe
-r-xr-xr-x 2 stevee stevee 67568 Dec 9 14:47 SystemSettingsRemoveDevice.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 9 14:46 SystemUWPLauncher.exe
-r-xr-xr-x 2 stevee stevee 94208 Dec 12 2024 TSTheme.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 9 14:47 TSWbPrxy.exe
-r-xr-xr-x 2 stevee stevee 40960 Sep 14 18:13 TapiUnattend.exe
-r-xr-xr-x 2 stevee stevee 5559048 Dec 9 14:46 Taskmgr.exe
-r-xr-xr-x 2 stevee stevee 90112 Dec 9 14:47 ThumbnailExtractionHost.exe
-r-xr-xr-x 2 stevee stevee 348160 Sep 14 18:13 TieringEngineService.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:47 TokenBrokerCookies.exe
-r-xr-xr-x 2 stevee stevee 94208 Apr 1 2024 TpmInit.exe
-r-xr-xr-x 2 stevee stevee 385024 Dec 9 14:47 TpmTool.exe
-r-xr-xr-x 2 stevee stevee 57344 Dec 9 14:47 UCConfigTask.exe
-r-xr-xr-x 2 stevee stevee 188416 Nov 13 11:33 UCPDMgr.exe
-r-xr-xr-x 2 stevee stevee 447360 Dec 9 14:47 UIEOrchestrator.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:47 UIMgrBroker.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 9 14:47 UPPrinterInstaller.exe
-r-xr-xr-x 3 stevee stevee 41984 Dec 12 2024 UevAgentPolicyGenerator.exe
-r-xr-xr-x 3 stevee stevee 55808 Dec 12 2024 UevAppMonitor.exe
-r-xr-xr-x 3 stevee stevee 14336 Dec 12 2024 UevTemplateBaselineGenerator.exe
-r-xr-xr-x 3 stevee stevee 11776 Dec 12 2024 UevTemplateConfigItemGenerator.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:47 UpgradeResultsUI.exe
-r-xr-xr-x 2 stevee stevee 75856 Dec 9 14:47 UserAccountBroker.exe
-r-xr-xr-x 2 stevee stevee 155648 Dec 9 14:47 UserAccountControlSettings.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:46 UserDataSource.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:47 UsoClient.exe
-r-xr-xr-x 2 stevee stevee 176128 Dec 9 14:47 UtcDecoderHost.exe
-r-xr-xr-x 2 stevee stevee 311296 Dec 9 14:47 Utilman.exe
-r-xr-xr-x 2 stevee stevee 1474560 Dec 9 14:47 VSSVC.exe
-r-xr-xr-x 2 stevee stevee 57344 Dec 12 2024 VaultCmd.exe
-r-xr-xr-x 2 stevee stevee 262144 Dec 9 14:47 VoiceAccess.exe
-r-xr-xr-x 2 stevee stevee 5656576 Mar 31 2024 VsGraphicsDesktopEngine.exe
-r-xr-xr-x 2 stevee stevee 4751360 Dec 9 14:46 VsGraphicsRemoteEngine.exe
-r-xr-xr-x 2 stevee stevee 978944 Dec 9 14:46 WFS.exe
-r-xr-xr-x 2 stevee stevee 1519616 Dec 9 14:47 WMPDMC.exe
-r-xr-xr-x 3 stevee stevee 57344 Dec 12 2024 WPDShextAutoplay.exe
-r-xr-xr-x 2 stevee stevee 102400 Apr 1 2024 WSCollect.exe
-r-xr-xr-x 2 stevee stevee 65536 Dec 9 14:47 WSManHTTPConfig.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 WSReset.exe
-r-xr-xr-x 2 stevee stevee 232864 Dec 9 14:46 WUDFCompanionHost.exe
-r-xr-xr-x 2 stevee stevee 357776 Dec 9 14:46 WUDFHost.exe
-r-xr-xr-x 2 stevee stevee 923008 Dec 9 14:47 WWAHost.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 9 14:47 WallpaperHost.exe
-r-xr-xr-x 2 stevee stevee 648608 Dec 9 14:46 WerFault.exe
-r-xr-xr-x 2 stevee stevee 228744 Dec 9 14:46 WerFaultSecure.exe
-r-xr-xr-x 2 stevee stevee 110592 Dec 9 14:47 WinBioDataModelOOBE.exe
-r-xr-xr-x 3 stevee stevee 7928280 Nov 13 11:33 WinCsFlags.exe
-r-xr-xr-x 2 stevee stevee 45056 Dec 12 2024 WinRTNetMUAHostServer.exe
-r-xr-xr-x 2 stevee stevee 2768896 Dec 9 14:47 WinSAT.exe
-r-xr-xr-x 3 stevee stevee 40960 Dec 12 2024 Windows.Media.BackgroundPlayback.exe
-r-xr-xr-x 2 stevee stevee 94208 Dec 9 14:46 Windows.WARP.JITService.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:46 WindowsActionDialog.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:47 WindowsUpdateElevatedInstaller.exe
-r-xr-xr-x 3 stevee stevee 114688 Sep 14 18:13 WorkFolders.exe
-r-xr-xr-x 2 stevee stevee 1249344 Dec 9 14:47 WpcMon.exe
-r-xr-xr-x 2 stevee stevee 299008 Dec 9 14:46 WpcTok.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 9 14:47 XblGameSaveTask.exe
-r-xr-xr-x 3 stevee stevee 40960 Dec 12 2024 agentactivationruntimestarter.exe
-r-xr-xr-x 2 stevee stevee 3291480 Dec 9 14:46 aitstatic.exe
-r-xr-xr-x 2 stevee stevee 217088 Dec 9 14:46 alg.exe
-r-xr-xr-x 2 stevee stevee 49152 Feb 24 2025 appidcertstorecheck.exe
-r-xr-xr-x 2 stevee stevee 155648 Feb 24 2025 appidpolicyconverter.exe
-r-xr-xr-x 3 stevee stevee 49152 Nov 13 11:32 appidtel.exe
-r-xr-xr-x 1 stevee stevee 140664 Mar 12 2025 appverif.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 at.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 attrib.exe
-r-xr-xr-x 2 stevee stevee 877448 Dec 9 14:46 audiodg.exe
-r-xr-xr-x 3 stevee stevee 61440 Feb 24 2025 auditpol.exe
-r-xr-xr-x 2 stevee stevee 1044480 Apr 1 2024 autochk.exe
-r-xr-xr-x 3 stevee stevee 94208 Nov 4 08:06 autofstx.exe
-r-xr-xr-x 2 stevee stevee 50496 Apr 1 2024 backgroundTaskHost.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:46 bash.exe
-r-xr-xr-x 2 stevee stevee 282624 Jul 8 14:39 bcdboot.exe
-r-xr-xr-x 2 stevee stevee 521616 Nov 13 11:32 bcdedit.exe
-r-xr-xr-x 2 stevee stevee 438272 Dec 9 14:47 bdechangepin.exe
-r-xr-xr-x 2 stevee stevee 286560 Dec 9 14:47 bdeunlock.exe
-r-xr-xr-x 2 stevee stevee 241664 Nov 13 11:32 bitsadmin.exe
-r-xr-xr-x 2 stevee stevee 53248 Dec 9 14:46 bootim.exe
-r-xr-xr-x 2 stevee stevee 112032 Jun 11 2025 bootsect.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 bridgeunattend.exe
-r-xr-xr-x 2 stevee stevee 66968 Dec 9 14:46 browser_broker.exe
-r-xr-xr-x 2 stevee stevee 159744 Dec 9 14:46 browserexport.exe
-r-xr-xr-x 3 stevee stevee 69632 Nov 4 08:06 bthudtask.exe
-r-xr-xr-x 2 stevee stevee 61440 Apr 1 2024 cacls.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 calc.exe
-r-xr-xr-x 2 stevee stevee 536576 Dec 9 14:46 certreq.exe
-r-xr-xr-x 2 stevee stevee 1593344 Dec 9 14:46 certutil.exe
-r-xr-xr-x 3 stevee stevee 40960 Apr 1 2024 change.exe
-r-xr-xr-x 2 stevee stevee 129568 Dec 9 14:47 changepk.exe
-r-xr-xr-x 2 stevee stevee 294912 Dec 9 14:46 charmap.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 chglogon.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 chgport.exe
-r-xr-xr-x 3 stevee stevee 45056 Apr 1 2024 chgusr.exe
-r-xr-xr-x 2 stevee stevee 53248 Dec 12 2024 chkdsk.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 chkntfs.exe
-r-xr-xr-x 2 stevee stevee 57344 Apr 1 2024 choice.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 12 2024 cipher.exe
-r-xr-xr-x 2 stevee stevee 307200 Dec 9 14:46 cleanmgr.exe
-r-xr-xr-x 2 stevee stevee 53248 Dec 12 2024 cliconfg.exe
-r-xr-xr-x 2 stevee stevee 57344 Apr 1 2024 clip.exe
-r-xr-xr-x 2 stevee stevee 339968 Dec 9 14:46 cmd.exe
-r-xr-xr-x 2 stevee stevee 49152 Nov 13 11:33 cmdkey.exe
-r-xr-xr-x 4 stevee stevee 77824 Dec 12 2024 cmdl32.exe
-r-xr-xr-x 2 stevee stevee 106496 Dec 9 14:47 cmmon32.exe
-r-xr-xr-x 4 stevee stevee 122880 Dec 12 2024 cmstp.exe
-r-xr-xr-x 2 stevee stevee 45056 Dec 12 2024 cofire.exe
-r-xr-xr-x 3 stevee stevee 110592 Dec 12 2024 colorcpl.exe
-r-xr-xr-x 2 stevee stevee 49152 Apr 1 2024 comp.exe
-r-xr-xr-x 2 stevee stevee 73728 Apr 1 2024 compact.exe
-r-xr-xr-x 2 stevee stevee 1015808 Dec 9 14:46 conhost.exe
-r-xr-xr-x 2 stevee stevee 255376 Dec 9 14:46 consent.exe
-r-xr-xr-x 2 stevee stevee 122880 Jun 11 2025 control.exe
-r-xr-xr-x 2 stevee stevee 45056 Dec 12 2024 convert.exe
-r-xr-xr-x 2 stevee stevee 239008 Dec 9 14:47 convertvhd.exe
-r-xr-xr-x 2 stevee stevee 81920 Dec 9 14:46 coredpussvr.exe
-r-xr-xr-x 2 stevee stevee 65536 Mar 12 2025 credwiz.exe
-r-xr-xr-x 2 stevee stevee 188416 Dec 9 14:47 cscript.exe
-r-xr-xr-x 2 stevee stevee 38576 Apr 1 2024 csrss.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:47 ctfmon.exe
-r-xr-xr-x 2 stevee stevee 114688 Apr 1 2024 cttune.exe
-r-xr-xr-x 2 stevee stevee 65536 Sep 14 18:13 cttunesvr.exe
-r-xr-xr-x 2 stevee stevee 742960 Nov 13 11:32 curl.exe
-r-xr-xr-x 2 stevee stevee 524288 Dec 9 14:46 d3dconfig.exe
-r-xr-xr-x 2 stevee stevee 200704 Dec 9 14:47 dasHost.exe
-r-xr-xr-x 2 stevee stevee 151552 Dec 9 14:46 dccw.exe
-r-xr-xr-x 3 stevee stevee 32768 Apr 1 2024 dcomcnfg.exe
-r-xr-xr-x 2 stevee stevee 69632 Apr 1 2024 ddodiag.exe
-r-xr-xr-x 3 stevee stevee 61440 Apr 1 2024 deploymentcsphelper.exe
-r-xr-xr-x 2 stevee stevee 155648 Dec 9 14:47 desktopimgdownldr.exe
-r-xr-xr-x 2 stevee stevee 143360 Nov 13 11:32 dfrgui.exe
-r-xr-xr-x 2 stevee stevee 69632 Sep 14 18:13 dialer.exe
-r-xr-xr-x 2 stevee stevee 176128 Dec 9 14:46 directxdatabaseupdater.exe
-r-xr-xr-x 2 stevee stevee 176128 Dec 12 2024 diskpart.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 diskperf.exe
-r-xr-xr-x 2 stevee stevee 356352 Apr 1 2024 diskraid.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:46 diskusage.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:46 dispdiag.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 djoin.exe
-r-xr-xr-x 2 stevee stevee 50504 Dec 12 2024 dllhost.exe
-r-xr-xr-x 2 stevee stevee 40960 Dec 12 2024 dllhst3g.exe
-r-xr-xr-x 2 stevee stevee 204800 Dec 9 14:46 dmcertinst.exe
-r-xr-xr-x 2 stevee stevee 65536 Nov 13 11:32 dmcfghost.exe
-r-xr-xr-x 2 stevee stevee 172032 Dec 9 14:46 dmclient.exe
-r-xr-xr-x 2 stevee stevee 61440 Apr 1 2024 DnsClientugc.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 doskey.exe
-r-xr-xr-x 2 stevee stevee 102400 Apr 1 2024 dpapimig.exe
-r--r--r-- 2 stevee stevee 36864 Jun 11 2025 dpnsvr.exe
-r-xr-xr-x 2 stevee stevee 106496 Jun 11 2025 driverquery.exe
-r-xr-xr-x 2 stevee stevee 442368 Dec 9 14:46 drvinst.exe
-r-xr-xr-x 2 stevee stevee 520192 Dec 9 14:47 dsregcmd.exe
-r-xr-xr-x 3 stevee stevee 40960 Dec 12 2024 dstokenclean.exe
-r-xr-xr-x 2 stevee stevee 159744 Dec 9 14:47 dtdump.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:46 dusmtask.exe
-r-xr-xr-x 2 stevee stevee 40960 Dec 12 2024 dvdplay.exe
-r-xr-xr-x 2 stevee stevee 131072 Dec 9 14:46 dwm.exe
-r-xr-xr-x 2 stevee stevee 327680 Dec 9 14:46 dxdiag.exe
-r-xr-xr-x 2 stevee stevee 147456 Dec 9 14:46 dxgiadaptercache.exe
-r-xr-xr-x 2 stevee stevee 100608 Nov 13 11:33 easinvoker.exe
-r-xr-xr-x 3 stevee stevee 266800 Nov 4 08:06 edit.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 9 14:46 edpnotify.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 efsui.exe
-r-xr-xr-x 2 stevee stevee 847872 Apr 12 2025 esentutl.exe
-r-xr-xr-x 2 stevee stevee 62872 Dec 9 14:47 esimtool.exe
-r-xr-xr-x 2 stevee stevee 380928 Dec 9 14:46 eudcedit.exe
-r-xr-xr-x 2 stevee stevee 69632 Jun 11 2025 eventcreate.exe
-r-xr-xr-x 2 stevee stevee 106496 Nov 13 11:32 eventvwr.exe
-r-xr-xr-x 2 stevee stevee 73728 Apr 1 2024 expand.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 12 2024 extrac32.exe
-r-xr-xr-x 2 stevee stevee 49152 Apr 1 2024 fc.exe
-r-xr-xr-x 2 stevee stevee 513848 Dec 9 14:46 fclip.exe
-r-xr-xr-x 3 stevee stevee 163840 Dec 12 2024 fhmanagew.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 find.exe
-r-xr-xr-x 2 stevee stevee 65536 Nov 13 11:33 findstr.exe
-r-xr-xr-x 3 stevee stevee 40960 Dec 12 2024 finger.exe
-r-xr-xr-x 3 stevee stevee 49152 Dec 12 2024 fixmapi.exe
-r-xr-xr-x 2 stevee stevee 53248 Dec 12 2024 fltMC.exe
-r-xr-xr-x 2 stevee stevee 73728 Dec 12 2024 fodhelper.exe
-r-xr-xr-x 2 stevee stevee 831968 Dec 9 14:46 fontdrvhost.exe
-r-xr-xr-x 2 stevee stevee 151552 Dec 9 14:46 fontview.exe
-r-xr-xr-x 2 stevee stevee 73728 Dec 12 2024 forfiles.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 fsavailux.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:46 fsquirt.exe
-r-xr-xr-x 2 stevee stevee 284048 Dec 9 14:46 fsutil.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 12 2024 ftp.exe
-r-xr-xr-x 2 stevee stevee 217088 Dec 9 14:47 fvenotify.exe
-r-xr-xr-x 2 stevee stevee 188416 Dec 12 2024 fveprompt.exe
-r-xr-xr-x 2 stevee stevee 106496 Apr 1 2024 getmac.exe
-r-xr-xr-x 2 stevee stevee 290816 Dec 9 14:46 gpresult.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 9 14:46 gpscript.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:46 gpupdate.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 grpconv.exe
-r-xr-xr-x 2 stevee stevee 365952 Dec 9 14:46 hcsdiag.exe
-r-xr-xr-x 2 stevee stevee 81920 Apr 1 2024 hdwwiz.exe
-r-xr-xr-x 2 stevee stevee 32768 Apr 1 2024 help.exe
-r-xr-xr-x 2 stevee stevee 249856 Dec 9 14:46 hnsdiag.exe
-r-xr-xr-x 2 stevee stevee 1975680 Dec 9 14:46 hvax64.exe
-r-xr-xr-x 2 stevee stevee 173440 Dec 9 17:04 hvc.exe
-r-xr-xr-x 2 stevee stevee 2053504 Dec 9 14:46 hvix64.exe
-r-xr-xr-x 2 stevee stevee 189840 Dec 9 14:46 hvsievaluator.exe
-r-xr-xr-x 1 stevee stevee 220368 Dec 29 2021 iaStorAfsNative.exe
-r-xr-xr-x 1 stevee stevee 3160784 Dec 29 2021 iaStorAfsService.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 12 2024 icacls.exe
-r-xr-xr-x 3 stevee stevee 51064 Jun 11 2025 icsunattend.exe
-r-xr-xr-x 2 stevee stevee 286720 Dec 9 14:46 ie4uinit.exe
-r-xr-xr-x 2 stevee stevee 131072 Dec 9 14:46 ie4ushowIE.exe
-r-xr-xr-x 2 stevee stevee 102400 Dec 9 14:46 ieUnatt.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:46 iexpress.exe
-r-xr-xr-x 2 stevee stevee 147456 Dec 9 14:47 immersivetpmvscmgrsvr.exe
-r-xr-xr-x 2 stevee stevee 169344 Dec 9 14:47 iotstartup.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 9 14:46 ipconfig.exe
-r-xr-xr-x 2 stevee stevee 73728 Nov 13 11:33 iscsicli.exe
-r-xr-xr-x 2 stevee stevee 32768 Nov 13 11:33 iscsicpl.exe
-r-xr-xr-x 2 stevee stevee 147456 Dec 9 14:46 isoburn.exe
-r-xr-xr-x 2 stevee stevee 65536 Apr 1 2024 klist.exe
-r-xr-xr-x 2 stevee stevee 65536 Dec 12 2024 ksetup.exe
-r-xr-xr-x 2 stevee stevee 45056 Dec 12 2024 ktmutil.exe
-r-xr-xr-x 2 stevee stevee 40960 Dec 12 2024 la57setup.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 label.exe
-r-xr-xr-x 2 stevee stevee 561152 Dec 9 14:46 licensingdiag.exe
-r-xr-xr-x 2 stevee stevee 106496 Dec 12 2024 lodctr.exe
-r-xr-xr-x 2 stevee stevee 131072 Sep 14 18:13 logagent.exe
-r-xr-xr-x 2 stevee stevee 118784 Dec 12 2024 logman.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 logoff.exe
-r-xr-xr-x 2 stevee stevee 61440 Sep 14 18:13 lpkinstall.exe
-r-xr-xr-x 2 stevee stevee 741376 Dec 9 14:46 lpksetup.exe
-r-xr-xr-x 2 stevee stevee 126976 Dec 9 14:46 lpremove.exe
-r-xr-xr-x 2 stevee stevee 84120 Dec 9 14:46 lsass.exe
-r-xr-xr-x 2 stevee stevee 110592 Apr 1 2024 makecab.exe
-r-xr-xr-x 2 stevee stevee 282624 Dec 9 14:47 manage-bde.exe
-r-xr-xr-x 3 stevee stevee 222592 Nov 4 08:06 mavinject.exe
-r-xr-xr-x 2 stevee stevee 843776 Dec 9 14:47 mblctr.exe
-r-xr-xr-x 2 stevee stevee 131072 Feb 24 2025 mcbuilder.exe
-r-xr-xr-x 2 stevee stevee 75824 Dec 9 14:47 mfpmp.exe
-r-xr-xr-x 1 stevee stevee 26192 Mar 12 2025 microsoft.windows.softwarelogo.showdesktop.exe
-r-xr-xr-x 2 stevee stevee 1871872 Dec 9 14:47 mmc.exe
-r-xr-xr-x 2 stevee stevee 1327104 Dec 9 14:46 mmgaserver.exe
-r-xr-xr-x 2 stevee stevee 131072 Dec 9 14:47 mobsync.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 mountvol.exe
-r-xr-xr-x 4 stevee stevee 45056 Apr 1 2024 mpnotify.exe
-r-xr-xr-x 2 stevee stevee 253952 Dec 9 14:47 msconfig.exe
-r-xr-xr-x 2 stevee stevee 557056 Dec 9 14:47 msdt.exe
-r-xr-xr-x 2 stevee stevee 208896 Dec 9 14:46 msdtc.exe
-r-xr-xr-x 3 stevee stevee 36864 Dec 12 2024 msfeedssync.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 msg.exe
-r-xr-xr-x 2 stevee stevee 36864 Dec 12 2024 mshta.exe
-r-xr-xr-x 2 stevee stevee 180224 Sep 14 18:13 msiexec.exe
-r-xr-xr-x 2 stevee stevee 380928 Dec 9 14:47 msinfo32.exe
-r-xr-xr-x 2 stevee stevee 614400 Dec 9 14:47 msra.exe
-r-xr-xr-x 2 stevee stevee 1384448 Dec 9 14:47 mstsc.exe
-r-xr-xr-x 3 stevee stevee 155648 Dec 12 2024 mtstocom.exe
-r-xr-xr-x 2 stevee stevee 45056 Dec 12 2024 nbtstat.exe
-r-xr-xr-x 3 stevee stevee 94208 Dec 12 2024 ndadmin.exe
-r-xr-xr-x 2 stevee stevee 81920 Nov 13 11:33 net.exe
-r-xr-xr-x 2 stevee stevee 184320 Nov 13 11:33 net1.exe
-r-xr-xr-x 2 stevee stevee 49152 Apr 1 2024 netbtugc.exe
-r-xr-xr-x 2 stevee stevee 110592 Dec 9 14:47 netcfg.exe
-r-xr-xr-x 3 stevee stevee 57344 Dec 12 2024 netiougc.exe
-r-xr-xr-x 2 stevee stevee 126976 Dec 9 14:47 netsh.exe
-r-xr-xr-x 3 stevee stevee 94208 Dec 12 2024 newdev.exe
-r-xr-xr-x 2 stevee stevee 602112 Dec 9 14:47 nltest.exe
-r-xr-xr-x 2 stevee stevee 128384 Dec 9 14:46 nmbind.exe
-r-xr-xr-x 2 stevee stevee 398760 Dec 9 14:46 nmscrub.exe
-r-xr-xr-x 3 stevee stevee 360448 Dec 9 14:47 notepad.exe
-r-xr-xr-x 2 stevee stevee 114688 Nov 13 11:33 nslookup.exe
-r-xr-xr-x 2 stevee stevee 12993992 Dec 9 14:47 ntoskrnl.exe
-r-xr-xr-x 3 stevee stevee 94208 Sep 14 18:13 ntprint.exe
-r-xr-xr-x 2 stevee stevee 439704 Dec 9 14:46 nvspinfo.exe
-r-xr-xr-x 2 stevee stevee 102400 Nov 13 11:33 odbcad32.exe
-r-xr-xr-x 2 stevee stevee 49152 Apr 1 2024 odbcconf.exe
-r-xr-xr-x 2 stevee stevee 102400 Sep 14 18:13 ofdeploy.exe
-r-xr-xr-x 2 stevee stevee 593920 Dec 9 14:46 omadmclient.exe
-r-xr-xr-x 2 stevee stevee 172032 Dec 9 14:46 omadmprc.exe
-r-xr-xr-x 2 stevee stevee 94208 Jun 11 2025 openfiles.exe
-r-xr-xr-x 2 stevee stevee 593920 Dec 9 14:47 osk.exe
-r-xr-xr-x 2 stevee stevee 46928 Dec 9 14:47 pacjsworker.exe
-r-xr-xr-x 2 stevee stevee 483328 Dec 9 14:47 pairtool.exe
-r-xr-xr-x 2 stevee stevee 126976 Dec 9 14:46 pcalua.exe
-r-xr-xr-x 2 stevee stevee 249856 Dec 9 14:46 pcaui.exe
-r-xr-xr-x 3 stevee stevee 40960 Dec 12 2024 pcwrun.exe
-r-xr-xr-x 3 stevee stevee 180224 Nov 13 11:33 perfmon.exe
-r-xr-xr-x 4 stevee stevee 133688 Dec 12 2024 phoneactivate.exe
-r-xr-xr-x 3 stevee stevee 32768 Dec 12 2024 plasrv.exe
-r-xr-xr-x 2 stevee stevee 282624 Dec 9 14:47 pnputil.exe
-r-xr-xr-x 2 stevee stevee 651264 Nov 8 01:40 poqexec.exe
-r-xr-xr-x 2 stevee stevee 188416 Dec 9 14:47 powercfg.exe
-r-xr-xr-x 2 stevee stevee 61440 Dec 9 14:47 prevhost.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 print.exe
-r-xr-xr-x 2 stevee stevee 585728 Dec 9 14:47 printfilterpipelinesvc.exe
-r-xr-xr-x 3 stevee stevee 94208 Sep 14 18:13 printui.exe
-r-xr-xr-x 2 stevee stevee 73728 Dec 9 14:47 proquota.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:47 provlaunch.exe
-r-xr-xr-x 2 stevee stevee 114688 Dec 9 14:47 provtool.exe
-r-xr-xr-x 2 stevee stevee 46936 Dec 12 2024 prproc.exe
-r-xr-xr-x 2 stevee stevee 393216 Dec 9 14:46 psr.exe
-r-xr-xr-x 2 stevee stevee 57344 Dec 12 2024 pwlauncher.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 qappsrv.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 qprocess.exe
-r-xr-xr-x 3 stevee stevee 40960 Apr 1 2024 query.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 quser.exe
-r-xr-xr-x 2 stevee stevee 53248 Dec 12 2024 qwinsta.exe
-r-xr-xr-x 2 stevee stevee 45056 Nov 13 11:33 rasautou.exe
-r-xr-xr-x 2 stevee stevee 49152 Nov 13 11:33 rasdial.exe
-r-xr-xr-x 2 stevee stevee 159744 Dec 9 14:47 raserver.exe
-r-xr-xr-x 2 stevee stevee 65536 Nov 13 11:33 rasphone.exe
-r-xr-xr-x 2 stevee stevee 569344 Dec 9 14:47 rdpclip.exe
-r-xr-xr-x 2 stevee stevee 542112 Dec 9 14:47 rdpinit.exe
-r-xr-xr-x 2 stevee stevee 266240 Dec 9 14:47 rdpinput.exe
-r-xr-xr-x 2 stevee stevee 1209728 Dec 9 14:47 rdpshell.exe
-r-xr-xr-x 3 stevee stevee 122880 Dec 12 2024 rdpsign.exe
-r-xr-xr-x 2 stevee stevee 77824 Nov 13 11:33 rdrleakdiag.exe
-r-xr-xr-x 2 stevee stevee 106496 Dec 9 14:46 readCloudDataSettings.exe
-r-xr-xr-x 2 stevee stevee 217088 Sep 14 18:13 recdisc.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 recover.exe
-r-xr-xr-x 2 stevee stevee 1945600 Dec 9 14:47 refsutil.exe
-r-xr-xr-x 2 stevee stevee 110592 Sep 14 18:13 reg.exe
-r-xr-xr-x 3 stevee stevee 32768 Nov 13 11:33 regedt32.exe
-r-xr-xr-x 2 stevee stevee 69632 Sep 14 18:13 regini.exe
-r-xr-xr-x 2 stevee stevee 90112 Dec 9 14:47 regsvr32.exe
-r-xr-xr-x 2 stevee stevee 147456 Dec 12 2024 rekeywiz.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 12 2024 relog.exe
-r-xr-xr-x 2 stevee stevee 155648 Aug 23 07:57 repair-bde.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 replace.exe
-r-xr-xr-x 3 stevee stevee 40960 Apr 1 2024 reset.exe
-r-xr-xr-x 3 stevee stevee 139264 Nov 13 11:33 resmon.exe
-r-xr-xr-x 2 stevee stevee 150192 Dec 9 14:47 rgnupdt.exe
-r-xr-xr-x 2 stevee stevee 143360 Dec 9 14:47 rmttpmvscmgrsvr.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 12 2024 rrinstaller.exe
-r-xr-xr-x 2 stevee stevee 335872 Dec 9 14:47 rstrui.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 runas.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 9 14:47 rundll32.exe
-r-xr-xr-x 2 stevee stevee 110592 Dec 9 14:47 runexehelper.exe
-r-xr-xr-x 2 stevee stevee 122880 Dec 9 14:47 runonce.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 rwinsta.exe
-r-xr-xr-x 2 stevee stevee 102400 Jul 8 14:39 sc.exe
-r-xr-xr-x 2 stevee stevee 253952 Nov 4 08:06 schtasks.exe
-r-xr-xr-x 2 stevee stevee 299008 Dec 9 14:46 sdbinst.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 9 14:47 sdchange.exe
-r-xr-xr-x 3 stevee stevee 1097728 Sep 14 18:13 sdclt.exe
-r-xr-xr-x 2 stevee stevee 77824 Dec 9 14:47 sdiagnhost.exe
-r-xr-xr-x 2 stevee stevee 32768 Apr 1 2024 secinit.exe
-r-xr-xr-x 2 stevee stevee 1324416 Dec 9 14:46 securekernel.exe
-r-xr-xr-x 2 stevee stevee 906408 Dec 9 14:47 services.exe
-r-xr-xr-x 2 stevee stevee 108864 Sep 14 18:13 sessionmsg.exe
-r-xr-xr-x 2 stevee stevee 172032 Dec 9 14:47 sethc.exe
-r-xr-xr-x 2 stevee stevee 57344 Apr 1 2024 setspn.exe
-r-xr-xr-x 2 stevee stevee 28672 Apr 1 2024 setupcl.exe
-r-xr-xr-x 2 stevee stevee 245760 Dec 9 14:46 setupugc.exe
-r-xr-xr-x 2 stevee stevee 86016 Apr 1 2024 setx.exe
-r-xr-xr-x 2 stevee stevee 110592 Dec 9 14:47 sfc.exe
-r-xr-xr-x 2 stevee stevee 77824 Jun 11 2025 shrpubw.exe
-r-xr-xr-x 2 stevee stevee 57344 Nov 13 11:33 shutdown.exe
-r-xr-xr-x 2 stevee stevee 102400 Apr 1 2024 sigverif.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 sihost.exe
-r-xr-xr-x 2 stevee stevee 712704 Dec 9 14:47 slui.exe
-r-xr-xr-x 2 stevee stevee 610304 Dec 9 14:47 smartscreen.exe
-r-xr-xr-x 2 stevee stevee 228728 Nov 13 11:33 smss.exe
-r-xr-xr-x 2 stevee stevee 45056 Dec 9 14:47 snmptrap.exe
-r-xr-xr-x 2 stevee stevee 49152 Dec 12 2024 sort.exe
-r-xr-xr-x 2 stevee stevee 112024 Dec 9 14:47 spaceman.exe
-r-xr-xr-x 2 stevee stevee 532480 Dec 9 14:47 spaceutil.exe
-r-xr-xr-x 2 stevee stevee 991232 Dec 9 14:47 spoolsv.exe
-r-xr-xr-x 2 stevee stevee 966656 Dec 9 14:47 spoolsvworker.exe
-r-xr-xr-x 2 stevee stevee 4823504 Dec 9 14:47 sppsvc.exe
-r-xr-xr-x 2 stevee stevee 36864 Apr 1 2024 srdelayed.exe
-r-xr-xr-x 2 stevee stevee 196608 Dec 9 14:47 stordiag.exe
-r-xr-xr-x 2 stevee stevee 40960 Apr 1 2024 subst.exe
-r-xr-xr-x 3 stevee stevee 936368 Dec 12 2024 sudo.exe
-r-xr-xr-x 2 stevee stevee 88232 Sep 14 18:13 svchost.exe
-r-xr-xr-x 3 stevee stevee 65536 Dec 12 2024 sxstrace.exe
-r-xr-xr-x 2 stevee stevee 126976 Jun 11 2025 systeminfo.exe
-r-xr-xr-x 2 stevee stevee 32768 Apr 1 2024 systray.exe
-r-xr-xr-x 3 stevee stevee 114688 Dec 12 2024 tabcal.exe
-r-xr-xr-x 2 stevee stevee 90112 Apr 1 2024 takeown.exe
-r-xr-xr-x 2 stevee stevee 92208 Dec 9 14:46 tar.exe
-r-xr-xr-x 2 stevee stevee 117128 Dec 9 14:47 taskhostw.exe
-r-xr-xr-x 2 stevee stevee 118784 Apr 1 2024 taskkill.exe
-r-xr-xr-x 2 stevee stevee 122880 Apr 1 2024 tasklist.exe
-r-xr-xr-x 2 stevee stevee 978248 Dec 9 14:46 tcblaunch.exe
-r-xr-xr-x 2 stevee stevee 45056 Sep 14 18:13 tcmsetup.exe
-r-xr-xr-x 2 stevee stevee 57344 Apr 1 2024 timeout.exe
-r-xr-xr-x 2 stevee stevee 126976 Dec 9 14:47 tpmvscmgr.exe
-r-xr-xr-x 2 stevee stevee 143360 Dec 9 14:47 tpmvscmgrsvr.exe
-r-xr-xr-x 2 stevee stevee 430080 Sep 14 18:13 tracerpt.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 tscon.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 tsdiscon.exe
-r-xr-xr-x 3 stevee stevee 49152 Apr 1 2024 tskill.exe
-r-xr-xr-x 2 stevee stevee 311336 Sep 14 18:13 ttdinject.exe
-r-xr-xr-x 2 stevee stevee 137808 Sep 14 18:13 tttracer.exe
-r-xr-xr-x 2 stevee stevee 81920 Dec 12 2024 typeperf.exe
-r-xr-xr-x 2 stevee stevee 253440 Dec 9 14:47 tzsync.exe
-r-xr-xr-x 2 stevee stevee 65536 Apr 1 2024 tzutil.exe
-r-xr-xr-x 2 stevee stevee 75176 Dec 9 14:47 ucsvc.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 12 2024 unlodctr.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:47 updatecli.exe
-r-xr-xr-x 2 stevee stevee 195664 Dec 9 14:47 upfc.exe
-r-xr-xr-x 3 stevee stevee 73728 Sep 14 18:13 upnpcont.exe
-r-xr-xr-x 2 stevee stevee 139264 Dec 9 14:47 userinit.exe
-r-xr-xr-x 2 stevee stevee 737280 Dec 9 14:47 vds.exe
-r-xr-xr-x 3 stevee stevee 77824 Dec 12 2024 vdsldr.exe
-r-xr-xr-x 2 stevee stevee 45056 Apr 1 2024 verclsid.exe
-r-xr-xr-x 2 stevee stevee 214440 Nov 13 11:32 verifier.exe
-r-xr-xr-x 2 stevee stevee 204800 Dec 12 2024 verifiergui.exe
-r-xr-xr-x 3 stevee stevee 552960 Dec 12 2024 vfpctrl.exe
-r-xr-xr-x 2 stevee stevee 4351400 Dec 9 14:46 vmcompute.exe
-r-xr-xr-x 3 stevee stevee 1240064 Dec 9 17:04 vmconnect.exe
-r-xr-xr-x 2 stevee stevee 14005664 Dec 9 17:04 vmms.exe
-r-xr-xr-x 2 stevee stevee 71624 Dec 4 17:51 vmplatformca.exe
-r-xr-xr-x 2 stevee stevee 191576 Dec 11 18:37 vmsp.exe
-r-xr-xr-x 2 stevee stevee 3703744 Dec 9 14:46 vmwp.exe
-r-xr-xr-x 2 stevee stevee 167936 Sep 14 18:13 vssadmin.exe
-r-xr-xr-x 3 stevee stevee 2115184 Feb 22 2024 vulkaninfo-1-999-0-0-0.exe
-r-xr-xr-x 3 stevee stevee 2115184 Feb 22 2024 vulkaninfo.exe
-r-xr-xr-x 2 stevee stevee 274432 Dec 9 14:47 w32tm.exe
-r-xr-xr-x 2 stevee stevee 65536 Apr 1 2024 waitfor.exe
-r-xr-xr-x 2 stevee stevee 380928 Dec 9 14:46 wbadmin.exe
-r-xr-xr-x 2 stevee stevee 1540096 Dec 9 14:46 wbengine.exe
-r-xr-xr-x 3 stevee stevee 131072 Apr 1 2024 wecutil.exe
-r-xr-xr-x 2 stevee stevee 296360 Dec 9 14:46 wermgr.exe
-r-xr-xr-x 2 stevee stevee 299008 Nov 13 11:33 wevtutil.exe
-r-xr-xr-x 2 stevee stevee 172032 Dec 9 14:46 wextract.exe
-r-xr-xr-x 2 stevee stevee 65536 Apr 1 2024 where.exe
-r-xr-xr-x 2 stevee stevee 98304 Dec 12 2024 whoami.exe
-r-xr-xr-x 2 stevee stevee 126976 Sep 14 18:13 wiaacmgr.exe
-r-xr-xr-x 2 stevee stevee 65536 Sep 14 18:13 wiawow64.exe
-r-xr-xr-x 2 stevee stevee 128400 Dec 9 14:47 wifitask.exe
-r-xr-xr-x 2 stevee stevee 640424 Nov 13 11:33 wimserv.exe
-r-xr-xr-x 2 stevee stevee 794840 Dec 9 14:47 wininit.exe
-r-xr-xr-x 3 stevee stevee 1865680 Dec 9 14:46 winload.exe
-r-xr-xr-x 2 stevee stevee 958464 Dec 9 14:47 winlogon.exe
-r-xr-xr-x 3 stevee stevee 1460712 Dec 9 14:46 winresume.exe
-r-xr-xr-x 2 stevee stevee 77824 Nov 13 11:33 winrs.exe
-r-xr-xr-x 2 stevee stevee 57344 Nov 13 11:33 winrshost.exe
-r-xr-xr-x 2 stevee stevee 32768 Apr 1 2024 winver.exe
-r-xr-xr-x 2 stevee stevee 311360 Dec 9 14:47 wkspbroker.exe
-r-xr-xr-x 2 stevee stevee 425984 Dec 9 14:47 wksprt.exe
-r-xr-xr-x 2 stevee stevee 151552 Dec 9 14:47 wlanext.exe
-r-xr-xr-x 2 stevee stevee 154336 Dec 9 14:47 wlrmdr.exe
-r-xr-xr-x 3 stevee stevee 49152 Sep 14 18:13 wowreg32.exe
-r-xr-xr-x 3 stevee stevee 49152 Sep 14 18:13 wpnpinst.exe
-r-xr-xr-x 2 stevee stevee 389120 Dec 9 14:46 wpr.exe
-r-xr-xr-x 3 stevee stevee 32768 Dec 12 2024 wscadminui.exe
-r-xr-xr-x 2 stevee stevee 200704 Dec 9 14:47 wscript.exe
-r-xr-xr-x 2 stevee stevee 258048 Dec 9 14:46 wsl.exe
-r-xr-xr-x 2 stevee stevee 86016 Dec 9 14:46 wslconfig.exe
-r-xr-xr-x 2 stevee stevee 69632 Dec 9 14:47 wsmprovhost.exe
-r-xr-xr-x 2 stevee stevee 122880 Dec 9 14:47 wsqmcons.exe
-r-xr-xr-x 2 stevee stevee 45984 Feb 24 2025 wuapihost.exe
-r-xr-xr-x 2 stevee stevee 156056 Dec 9 14:47 wuauclt.exe
-r-xr-xr-x 2 stevee stevee 237568 Dec 9 14:47 wusa.exe
-r-xr-xr-x 2 stevee stevee 73728 Apr 1 2024 xcopy.exe
-r-xr-xr-x 2 stevee stevee 3690496 Dec 9 14:47 xpsrchvw.exe
-r-xr-xr-x 2 stevee stevee 94208 Dec 12 2024 xwizard.exe
- Security & Updates
9, Update Notification Loop (Windows Update Service Disabled),"Diagnosis: Windows Update fails immediately, and services.msc shows the Windows Update service as Stopped or Disabled. Admin (to modify services),"Escalate. This is a critical system service, likely controlled by GPO.
Your role is to diagnose the stopped service and escalate for an L2/Admin to start/enable it."
- Security & Updates (Cont.)
- Antivirus Disabled (Service Fault)
- Fault Scenario: A critical Antivirus or Endpoint Detection and Response (EDR) service is deliberately set to Stopped or Disabled in services.msc. (Not available in Home or Pro!)
- Diagnosis: The system tray icon shows the antivirus is disabled or "at risk." Checking the Antivirus service's status in the Services console confirms the state.
- Privilege Required: Administrator (to modify services).
- Escalation Decision/Action: Escalate. This is a critical security service, likely controlled by a Group Policy Object (GPO) or central management software. The L1 job is to document the stopped service and escalate for an L2/Admin to start/enable it.
- Firewall Profile Set to Public
- Fault Scenario: The network connection profile for the active adapter is manually switched from Private or Domain to Public.
- Diagnosis: The user reports being unable to connect to internal resources (file shares, printers). The technician checks Network and Sharing Centre or Windows Firewall settings and confirms the active network profile is Public, which often blocks common internal traffic (like SMB).
Command:
PS C:\WINDOWS\system32> Get-NetConnectionProfile
Name : Planta1_5G
InterfaceAlias : vEthernet (Ext LAN Switch)
InterfaceIndex : 48
NetworkCategory : Private
DomainAuthenticationKind : None
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic
The firewall can be disabled to quickly show it is the cause of this fault – search firewall/ turn on or off:
That is a very insightful question based on the image you attached. However, the image you provided shows the firewall settings, but it's important to clarify the context of the settings displayed:
The image shows the settings you can customize for the Private Network and the Public Network profiles. It does not mean both profiles are simultaneously active on the same network adapter.
The Rule of Active Profiles
Windows operating systems (including Windows 11) operate on the principle of one active network profile per interface (network adapter).
- When your VM's network adapter connects, Windows detects the network type (Domain Controller present, private network, or unknown/public) and assigns one of those three profiles to that connection.
- The Windows Firewall then loads and enforces the rules specifically associated with that one active profile.
So, when you are connected to your Hyper-V network, your adapter is either considered Private, Public, or Domain, but not a mix of both at the same time.
- Privilege Required: Administrator (to change the network profile).
- Escalation Decision/Action: Fix It/Escalate. The L1 technician should attempt to change the network profile back to Private via Windows Settings. If the option is greyed out (due to GPO), the fault must be confirmed, documented, and escalated for policy review.
THE WIN FIREWALL TRUST MODEL:
| Profile | Level of Trust | Typical Use Case | SMB/Port 445 (File Sharing) |
| 1. Public | Zero Trust (Least Permissive) | Coffee shops, airports, hotel Wi-Fi, or direct connection to the Internet. | Blocked by default. Windows assumes the entire network is hostile, preventing other devices from seeing your computer or accessing your files. |
| 2. Private | High Trust (Permissive) | Home network, personal lab, or a small, self-managed office network. | Allowed by default. Windows assumes devices on this network are trusted, enabling features like file sharing, network discovery, and printing. |
| 3. Domain | Total Trust (GPO Managed) | Corporate, school, or business networks managed by Active Directory (AD). | Allowed by default, but the rules are centrally controlled by the Domain Administrator via Group Policy Object (GPO). |
| Service / Rule Group | Protocol | Port(s) | Description |
| File and Printer Sharing (SMB) | TCP | 445 | Allows other computers to access shared files and folders (what you are testing). |
| File and Printer Sharing (NetBIOS) | UDP | 137, 138 | Used for Network Discovery and name resolution on the local subnet. |
| File and Printer Sharing (Session) | TCP | 139 | Older NetBIOS session service (still used in some environments). |
| Network Discovery (Core) | UDP | 3702, 5355 | Allows your computer to see other devices and be seen by them in the Network list. |
| Remote Desktop (RDP) | TCP | 3389 | Allows your machine to accept remote connections (crucial for your VM testing). This rule is often enabled on Domain/Private profiles, but sometimes manually added. |
| Web Services (Device Discovery) | TCP | 5357 | Used for discovery of network-connected devices (e.g., printers, smart home devices). |
| System Services (ICMP) | ICMP | (No Port) | Allows inbound Echo Requests (Ping), essential for basic network troubleshooting (ping 192.168.1.1). |
| Dynamic RPC (High Ports) | TCP/UDP | 49152-65535 | The Windows Dynamic Port range. Specific rules allow traffic for certain high-port RPC services (like Active Directory) on a trusted network. |
Why ICMP Doesn't Need a Port
Transport Layer (Uses Ports): This layer handles communication between applications or services on two different computers. Protocols here are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).
- Ports are the addresses used by the applications (e.g., your web browser, a mail client, or the SMB service) to talk to the specific application on the destination machine.
- Example: TCP 80 (HTTP) or UDP 53 (DNS).
Internet Layer (Uses Protocol Numbers, not Ports): This layer handles communication between computers (hosts) on two different networks. The primary protocol here is IP (Internet Protocol).
- Protocol Numbers are identifiers used to tell the receiving computer which Transport Layer protocol is inside the IP packet.
- ICMP (Internet Control Message Protocol) sits directly at this layer (or sometimes is considered an auxiliary protocol to IP).
ICMP's job is not to deliver data to an application (like a web server or file share); its job is to deliver control and error messages to the operating system's network stack itself.
| Protocol | Layer | Destination | What it uses for Addressing |
| TCP/UDP | Transport | An Application or Service (e.g., DNS, SMB, RDP). | Port Number |
| ICMP | Internet | The Operating System's Network Kernel (the core system). |
In short, the Protocol Number gets the packet to the right protocol; the Port Number gets the packet to the right application.
- Networking & Connectivity (Safe Changes)
- Incorrect Static DNS Entry
- Fault Scenario: The TCP/IPv4 properties for the network adapter are manually changed to use a specific, incorrect, or unreachable DNS server (e.g., a non-existent internal address or a blocked external address).
- Diagnosis: The user can successfully run ipconfig and can ping the default gateway (router), but any attempt to browse the Internet or run nslookup fails. The technician checks the adapter's DNS settings.
- Privilege Required: Administrator (to modify adapter properties).
- Escalation Decision/Action: The L1 technician changes the adapter settings back to "Obtain DNS server address automatically."
- No Sound Output (Device Disabled)
- Fault Scenario: The primary audio output device (e.g., Speakers or Headphones) is manually Disabled in Device Manager. (A Red Cross present – enabled/disabled by right click)
- Diagnosis: The system tray speaker icon shows a red 'X' or "No audio output device is installed." Device Manager shows the audio device exists but has a black arrow pointing down, indicating a disabled state.
- Privilege Required: Administrator (to modify devices).
- Escalation Decision/Action: Fix It/Escalate. If the device is simply disabled, the L1 technician can right-click and Enable device in Device Manager. If the device has a corrupted or missing driver (a yellow exclamation mark), the issue should be Escalated for driver re-installation.
- System and Performance (Cont.)
- System Date/Time Out of Sync
- Fault Scenario: The system date is manually set to an incorrect value (e.g., years in the past or future), and the Windows Time service (W32Time) is set to Stopped.
- Diagnosis: The user reports being unable to browse secure websites (SSL/TLS certificate errors). The technician notices the system clock is grossly incorrect. Checking services.msc confirms the Windows Time service is not running.
- Privilege Required: Administrator (to modify service/NTP settings).
- Escalation Decision/Action: Start the Windows Time service, set the Startup Type to Automatic, and then force a manual time synchronization with a reliable time server. “Sync Now”
- CPU Maxed Out (Background Process)
- Fault Scenario: A non-essential user-level application (e.g., a simple loop script named TEST_HIGH_CPU.exe) is left running in the background, consuming excessive CPU resources.
- Diagnosis: The VM is slow and unresponsive. The technician opens Task Manager and finds the TEST_HIGH_CPU.exe process consuming 95%+ of the CPU.
- Privilege Required: User (to terminate the process).
- Escalation Decision/Action: Terminate the resource-hogging process via Task Manager.
If the application is designed to restart automatically (e.g., via Task Scheduler or Startup apps), Escalate to disable the application's persistent startup entry.
- User Experience & Profile (Cont.)
- Temporary Profile Login
- Fault Scenario: The registry settings for the user's profile (ProfileList key) are intentionally manipulated or deleted to simulate a corrupted user profile.
- Diagnosis: The user logs in and immediately receives a notification stating, "You've been signed in with a temporary profile."
- – INCORRECT IN Win11 – normal desktop, but Explorer PC name is now default, and there is no .TEMP extension for the User in Explorer
- All personal files, desktop icons, and customized settings are missing. - CORRECT
- Privilege Required: Administrator (to repair the registry).
- Escalation Decision/Action: Escalate. Repairing a corrupted user profile requires complex and risky changes to the registry's ProfileList key and often involves correcting file system permissions, which is an L2 function.
the big question is > what happened in the vm account that proved catastrophic with the deletion of NTUSER.DAT doing the same exercise?
Conclusion
The most probable culprit is the I/O Lock/Timeout issue (Point 1). The difference between the VM's slow, virtualized disk access and the host's high-speed access is usually the deciding factor in these kinds of low-level, time-sensitive system repairs. The VM simply failed to complete the repair in time, forcing Windows to nuke the profile instead of fixing it.
This confirms that the successful L2 fix you performed is the correct procedure for the majority of real-world machines, while the VM incident serves as a good cautionary tale about troubleshooting in virtualized environments!
Additional: “I have more---I found out what SHOULD have happened in the VM. On creating a new user "joe" in the vm, I renamed its profile to .bak then locked my admin user and logged int "joe" first time to create profile data. I logged back into admin and changed profile joe in regedit to .bak and SIGNED OUT, unlike before with test_user where I left by using LOCK. !! Maybe that´s what caused the corruption? I could immediately log back into joe, despite the .bak change, and when I checked regedit in admin, the .bak profile had been changed back to xxx1003 from xxx1003.bak, so had chosen a profile that seemed to have legitimate data for that user name, despite being renamed .bak I guess? I wonder if this has anything to do with these new accounts having only online sign ins now, not local accounts, and when I locked the test_user account before, then renamed it to .bak it could not resolve its locked state properly to the online ID, and somehow caused the total account loss?
That is an extremely insightful observation and a fantastic piece of targeted testing. You've uncovered a potential critical differentiator in how Windows 11 handles profile corruption, and your hypothesis about the LOCK vs. SIGN OUT action combined with the Online Account Dependency is highly plausible.
- Keyboard Layout Switched
- Fault Scenario: The default keyboard input method is switched to an incompatible layout (e.g., US keyboard set to UK layout, or vice versa, where 'Z' and 'Y' are swapped).
- Diagnosis: The user types letters (e.g., the letter Z) and gets the wrong character (e.g., the letter Y). The technician checks the language bar/indicator in the taskbar or verifies the keyboard input method via Settings.
- Privilege Required: User (to change keyboard settings).
- Escalation Decision/Action: Guide the user or execute the change by modifying the keyboard input method via Settings > Time & Language > Language & Region.
- File Explorer Default View Broken
- Fault Scenario: The default view settings for a common folder type are modified to a restrictive or inconvenient view (e.g., forcing all folders to open in "List" or "Details" mode).
- Diagnosis: The user opens a folder of images and expects "Icons" view, but it always defaults to "Details." The technician checks the File Explorer Options settings.
- Privilege Required: User (to modify folder options).
- Escalation Decision/Action: The user can correct the default view by navigating to File Explorer > ... > Options > View tab > Apply to Folders. This is a user profile setting.
- Search “Folder Options”
- System Tools Missing (Shortcut Deleted)
- Fault Scenario: A shortcut to a standard system tool (e.g., Resource Monitor (resmon.exe)) is deleted from the Windows Tools folder, but the underlying .exe file is still intact.
- Diagnosis: The user reports the tool is missing from the Start Menu > All Apps > Windows Tools folder. The technician verifies that running the tool's executable (e.g., typing resmon.exe in the Run box) still works correctly. Search “Resource show file location:
- You can right click a tool and create shortcut on the Dtop
- Privilege Required: User (to replace a shortcut).
- Escalation Decision/Action: The shortcut file was deleted from the non-administrator path (likely C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Tools). The L1 technician can recreate the shortcut, as this only affects the menu link, not the underlying system tool.
10 More:
That is excellent preparation! Your detailed notes show a powerful capacity for root-cause analysis, particularly your discovery about the distinction between LOCK and SIGN OUT when manipulating the profile registry—that is genuinely high-level troubleshooting.
Here are the additions to your document, fulfilling your requests for more L1-level ways to break the services, followed by 10 new realistic L1 scenarios.
Additional L1 Breaking Methods
Here are other methods, discoverable by a Level 1 technician, for inducing the faults you identified.
For Fault 1 (No Internet Access/DNS)
The fault is a lack of name resolution or network connection while the physical layer is assumed OK1.
- Change Network Adapter State: Disable the network adapter directly through the Network Connections control panel (ncpa.cpl).
-
- L1 Diagnosis: ipconfig /all will report "Media disconnected," and the network icon will show a globe or cable unplugged icon. This is often an accidental user click in Windows Settings.
- Set an IP Address Outside the Gateway's Subnet: Manually set a static IP address for the adapter, but use an address that is outside the range of the router/gateway (e.g., if the gateway is 192.168.1.1, set the PC's IP to 10.0.0.10).
- L1 Diagnosis: ipconfig /all will show a valid IP address, but you will fail to ping the gateway (192.168.1.1), confirming a subnet mismatch.
- Set a Completely Wrong, Unreachable DNS Server: Manually configure the network adapter to use a specific DNS server address (like 1.1.1.99), but ensure that IP is unreachable or simply not a DNS server. (This is a variation of your Fault 12 2 but used as a deliberate breaking step here).
- L1 Diagnosis: Ping works to IP addresses (like 8.8.8.8), but nslookup google.com fails, indicating name resolution is broken, not connectivity.
For Fault 2 (Cannot Reach File Share/SMB Blocked)
The fault is related to SMB traffic on port 4453.
- Disable "File and Printer Sharing" in Adapter Properties: Go to the network adapter's properties and uncheck the box for "File and Printer Sharing for Microsoft Networks."
- L1 Diagnosis: The Server service may still be running4, but Test-NetConnection -Port 445 will fail for local access, and the system will not appear in Network Discovery.
- Turn off Network Discovery: In the Network and Sharing Center (or advanced sharing settings), explicitly set the Network Discovery option to Off for the current profile (Private or Public).
- L1 Diagnosis: You can still reach the PC via its static IP address and the share port (\\192.168.1.105), but the PC cannot be found or accessed by its name (\\Win11VM).
10 New L1 Support Scenarios
Here are 10 new scenarios focused on common L1 troubleshooting areas, formatted for your document:
- User Cannot Log In to a Website (Certificate Error):
- Fault Scenario: The user reports that a critical internal website is inaccessible, displaying an error message about an invalid or expired certificate.
- L1 Diagnosis (Step 1: Time/Clock Check): The technician must first verify the System Time and Date. An inaccurate clock (even a difference of a few minutes, or a wrong year/time zone) will cause the system to reject any certificate (which has a strict start/end date). (This addresses the clock inaccuracy point.)
- L1 Diagnosis (Step 2: Browser State Reset): Clear the browser's security cache and SSL state (e.g., via Internet Options > Content > Clear SSL state or equivalent browser settings) to force a new, clean handshake.
Check the browser Certs against the website name and check if old - the old cert may be in a Tab list:
L1 Diagnosis (Step 3: Certificate Stores): If the time and cache reset fail, the technician must check both:
-
- The Windows Certificate Manager (certmgr.msc) for expired certificates in the system-wide stores.
-
- The Browser's internal certificate management settings (e.g., Chrome's chrome://settings/certificates) to manually remove client-side certificates or check for local overrides. (This addresses the Browser Cert option point.)
- Privilege: User (to adjust time/date, clear cache, and manage personal certificates).
- Escalation: Fix It (A successful resolution requires identifying and fixing the specific time, state, or stored certificate causing the trust failure).
-
- Privilege: User (to clear browser cache/certificates).
- Escalation: Fix It (Guide the user to clear the relevant certificate/cache).
- User Cannot Install Software (Installer Fails Immediately):
- Fault Scenario: A user downloads a valid, trusted application installer file (e.g., a PDF reader) and attempts to run it, but it fails instantly with a cryptic error or nothing happens at all.
WHY does it always run for Admin but not Standard User? : “Service Control Restriction: The Service Control Manager (SCM) is a highly protected component of Windows. A non-elevated (Standard User) process is deliberately denied the permission to start or stop most system services, including the Windows Installer.
The Failure: If the msiserver service is set to Manual (but is currently Stopped), the standard user's installation process attempts to start it and is met with an Access Denied error from the SCM - but not for an Admin.
The Result: Since the core service required for unpacking and executing the installation sequence cannot be started, the installer fails immediately with a vague or cryptic error, or simply exits.”
-
- L1 Diagnosis: Verify the status of the Windows Installer service (msiserver) in services.msc. It may be stopped or disabled, preventing all .msi installations.
-
- Privilege: Administrator (to start the service).
- Escalation: Escalate (Document the service state and request L2/Admin intervention to set it to Automatic and Start it).
- Printer Disappears from List:
- Fault Scenario: A user's previously installed network printer (which is online and reachable by ping) has completely vanished from the list of available printers in the Print dialogue and Settings.
- L1 Diagnosis: Check the status of the Print Spooler service (Spooler) in services.msc. This service is responsible for managing all local and network printer connections, and if it stops, all printers disappear.
-
- Privilege: Administrator (to start the service).
- Escalation: Fix It (Attempt to restart the Print Spooler service, as this often resolves the issue. If it fails to start, escalate).
- Application Runs Extremely Slow (Specific App Only):
- Fault Scenario: The entire system performs well, but a single, critical line-of-business application takes minutes to launch and is unresponsive.
- L1 Diagnosis: Open Task Manager, go to the Details tab, find the specific application process, right-click, and check its Priority. A malicious script or a configuration error may have set its priority to Low or Below Normal. Most are normal priority.
-
- Privilege: User/Administrator (to change the priority for the current session).
- Escalation: Fix It (Change the process priority to Normal or Above Normal to restore responsiveness).
- User Cannot Open Control Panel (or System Tool):
- Fault Scenario: The user attempts to open a key system tool (like Control Panel or Device Manager), but nothing happens, and there is no error message. Other tools open fine.
- L1 Diagnosis: This can be caused by the user's shell (Explorer.exe) being unstable. Use Task Manager to select the Windows Explorer process and right click, Restart.
-
- Privilege: User (to restart their own shell process).
- Escalation: Fix It (Restarting Explorer often restores the ability to launch system components without a full reboot).
- USB Drive Not Recognized (System Sounds Present):
- Fault Scenario: The user plugs in a flash drive and hears the Windows connection sound, but the drive does not appear in File Explorer or Disk Management.
- L1 Diagnosis: Open Device Manager. The device will likely appear under "Universal Serial Bus controllers" or "Other devices," but with an error (yellow exclamation mark or red 'X') because the driver is corrupt or missing.
-
- Privilege: Administrator (to update or remove the device).
- Escalation: Escalate (Document the device status and request L2/Admin intervention to update or reinstall the driver).
- Computer Takes a Long Time to Shut Down:
- Fault Scenario: The user reports that shutting down the computer takes over five minutes, often displaying a "Closing 1 application" message.
- L1 Diagnosis: Check the Event Viewer for Shutdown events (Event IDs 101 to 109). This will log the specific application or service that is delaying the shutdown process. E.g. Right click Admin Events/ Find, “shutdown”
-
- Privilege: User/Administrator (to analyse logs).
- Escalation: Fix It (Identify the application delaying the shutdown and instruct the user to close it manually before initiating shutdown).
- Desktop Icons are Too Large/Too Small (Resolution is Correct):
- Fault Scenario: The screen resolution is set correctly, but all text, icons, and applications appear either massive or tiny, making the PC hard to use.
-
- L1 Diagnosis: This is a user profile scaling issue. Check the Display Resolution and confirm the Scale (DPI) setting is incorrect (e.g., Scale is set to 175% instead of the recommended 100% or 125%).
-
- Privilege: User (to change personal display settings).
-
- Escalation: Fix It (Change the scaling back to the recommended setting for the display).
- User Cannot Empty Recycle Bin:
- Fault Scenario: The user tries to empty the Recycle Bin but receives an error message stating that the files are in use or locked by another process, preventing deletion.
- L1 Diagnosis: This means an application is holding a file lock. Open Resource Monitor (as you noted in your document 5), go to the CPU tab,
-
- and in the Associated Handles section, search for \$Recycle.Bin. This will identify the exact process holding the lock.
-
- Privilege: User (to find the process).
- Escalation: Fix It (Identify and terminate the process holding the file lock via Task Manager or Resource Monitor).
- Keyboard is Functioning, but the Num Lock Key is Stuck Off (or On) After Reboot:
- Fault Scenario: The keyboard works, but the number pad is unusable (or always on) because the Num Lock state is not saved or applied correctly upon login.
- That is the most practical and crucial question to ask about this scenario! You are absolutely right—in a home environment, the user simply pressing the Num Lock key once solves the problem, and they move on.
- The reason this issue is frequently elevated to a Level 1 Support Fault in a real-world, managed environment boils down to two factors: labor efficiency and security compliance.
- 1. The Critical Failure Point: The Logon Screen
- This is the main reason IT treats this as a fault, not a quirk:
- Password Entry: In many corporate environments, users have complex passwords that include numbers, and they naturally use the numeric keypad for speed.
- The Lockout Risk: If the registry forces Num Lock OFF at the logon screen, the user types a password with numbers, but the system interprets them as directional keys (like pressing the Down arrow, Home, or End). The user enters the wrong password repeatedly, leading to a mandatory Account Lockout.
- When an account locks out, it turns a 2-second key press into a 15-minute call to the help desk, involving identity verification and an admin reset—a massive waste of time and a security headache.
- L1 Diagnosis: This is a registry setting that dictates the boot-up state of Num Lock. Check the registry path HKEY_USERS\.DEFAULT\Control Panel\Keyboard and use Find for the value for InitialKeyboardIndicators. A value of 0 means Num Lock is off; a value of 2 means Num Lock is on.
-
- Privilege: Administrator (to modify the registry setting for all users).
- Escalation: Escalate (Document the incorrect value and request L2/Admin to change it to 2).
? Temporary Profile Login:
- Fault Scenario: A user logs in and sees a blank desktop. All their files are gone, and a notification says they are logged in with a temporary profile.
- L1 Diagnosis: The technician checks the C:\Users\ folder and verifies that the user's original profile folder is still present. This confirms that the issue is a broken registry pointer to the profile, not a file deletion. The technician also checks the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList for the user's SID to see if a .bak key exists, indicating the corrupt pointer.
Open regedit, search “ProfileList”
- Privilege: Administrator (The fix requires modification to the registry's ProfileList key).
- Escalation: Escalate (This is a complex registry fix requiring L2/Admin privileges to either delete the new temporary profile key and rename the old one, or use the automated User Profile Service cleanup).
NOTE THE DIFFS for User Account Deletion!! Computer Management / lusrmgr.msc only delete the entry in the SAM database, leaving the profile data (the files and the registry key) behind as an orphaned profile!
But System Properties/User Profiles (sysdm.cpl) removes the Registry Profile:
User x1008 is deleted:
To delete ALL traces of a User and not leave ghost accounts/Profiles, BOTH tools must be used for each half of the account – SAM and Profile!
? OneDrive/Cloud Sync Failure:
- Fault Scenario: A user reports that files they saved recently on their PC desktop are not appearing on their laptop (or vice versa), and the OneDrive cloud icon is stuck on "Processing Changes."
- L1 Diagnosis: The technician confirms the user is signed in to OneDrive. If the icon shows a red 'X', the technician advises the user to check the "View sync problems" window in the OneDrive settings. The most common fix is to Pause and then Resume Syncing to break the sync deadlock.
- Privilege: User (OneDrive status is managed at the user level).
- Escalation: Fix It (Guiding the user through the Pause/Resume or, failing that, the Unlink/Re-link process is the standard L1 resolution).
? Windows Update Stuck:
- Fault Scenario: A user reports that Windows Update has been "stuck at 95% for 4 hours," and they are afraid to turn off the machine.
- L1 Diagnosis: The technician opens Services (services.msc) and checks the status of the Windows Update Service (wuauserv). If the service appears stuck or is not running, the technician attempts to stop and then restart the service. They may also advise the user to hold the power button if the update is confirmed to be safely stuck.
- Privilege: Administrator (To stop and restart system services).
- Escalation: Escalate (If the service fails to restart or the update remains stuck after a reboot, L2/Admin is needed to run the Update Troubleshooter or manually clear the contents of the C:\Windows\SoftwareDistribution folder).
? Default App Association Broken:
- Fault Scenario: The user reports that when they click on a common file type, like a .pdf or .jpg, it opens in the wrong application (e.g., a .pdf opens in Notepad).
- L1 Diagnosis: The technician uses the "Open with" dialogue: right-click the file, select "Open with," choose the correct application (e.g., Adobe Acrobat), and ensure the box "Always use this app to open .pdf files" is checked. Alternatively, the technician can use Settings > Apps > Default apps and set the file association there.
- Privilege: User (This is a user profile setting).
- Escalation: Fix It (Correcting the file association resolves the issue).
? Corrupt Windows Search:
- Fault Scenario: The user types into the Windows Search bar, but it returns no results for local files or settings, only vague web results.
- L1 Diagnosis: The technician checks the status of the Windows Search service (wsearch) in services.msc. If it is running, the technician checks Indexing Options to confirm the index is complete or if it is currently rebuilding.
- Privilege: Administrator (To restart the service and rebuild the index).
- Escalation: Fix It (Attempt to stop/start the wsearch service. If this fails, the technician documents the failure and escalates for L2/Admin to force a complete index rebuild via the Indexing Options > Advanced settings).
? Microphone Not Working (Privacy Lock):
- Fault Scenario: A user reports that their headset microphone works on another device, but applications like Teams or Zoom on the PC report "no microphone found" or "microphone is disabled."
- L1 Diagnosis: This is a common Windows 11 Privacy setting issue. The technician guides the user to check Settings > Privacy & security > Microphone and ensures the top toggle for "Microphone access" and the lower toggle for "Let desktop apps access your microphone" are both set to ON.
- Privilege: User (Privacy settings are managed at the user level).
- Escalation: Fix It (Correcting the privacy setting usually resolves the issue instantly, as this is a security-by-default feature that users overlook).
? Drive Space Warning:
- Fault Scenario: The user's system drive (C:) shows a red bar in File Explorer, and they receive persistent low disk space notifications.
- L1 Diagnosis: The technician opens Settings > System > Storage and uses the Storage Sense feature to analyze what is consuming the most space (e.g., Temporary Files, Downloads, or previous Windows installations).
- Privilege: User (To run Storage Sense cleanup).
- Escalation: Fix It (Guide the user through deleting Temporary Files and clearing large folders using the built-in Storage Sense cleanup recommendations).
? UAC Prompt Failure:
- Fault Scenario: The user attempts to run an administrative task (like updating a device driver), but the User Account Control (UAC) prompt fails to appear entirely (nothing happens), or the screen dims, but the prompt never loads.
- L1 Diagnosis: This suggests a core security feature failure. The technician checks the UAC settings via UserAccountControlSettings.exe to ensure the slider is set to the default level (recommended level, usually the second notch from the top, which uses the Secure Desktop).
- Privilege: Administrator (To modify UAC settings).
- Escalation: Escalate (If the UAC prompt fails to appear correctly at the default setting, it may indicate a security compromise, malware interference, or a deep system corruption requiring L2/Security team involvement).
? Hibernation/Sleep Mode Failure:
- Fault Scenario: The user puts the laptop to sleep, but it immediately wakes up or randomly wakes up minutes later without any user interaction.
- L1 Diagnosis: The technician runs the command powercfg /lastwake in an elevated command prompt. This command identifies the last device or process that triggered the wake event (often a network adapter or a mouse/keyboard).
- Privilege: User (to run the command).
- Escalation: Fix It (Once the device is identified, the technician guides the user to Device Manager to find that specific device and disable its "Allow this device to wake the computer" setting under the Power Management tab).
? Taskbar/Start Menu Unresponsive:
- Fault Scenario: The user can launch applications from the desktop, but clicking the Start button, Taskbar icons (like volume or network), or attempting to use the Windows Search bar results in nothing happening.
- L1 Diagnosis: This is typically a failure of the Windows Shell (Windows Explorer) process. The technician uses Task Manager to find the Windows Explorer process, right-clicks it, and selects Restart.
- Privilege: User (to restart their own shell process).
- Escalation: Fix It (Restarting Windows Explorer almost always resolves temporary Taskbar/Start Menu unresponsiveness without requiring a full system reboot).