🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Windows

by @ivangdavila

Windows-specific patterns, security practices, and operational traps that cause silent failures.

Versionv1.0.0
Downloads2,384
Installs3
Stars⭐ 2
TERMINAL
clawhub install windows

πŸ“– About This Skill


name: Windows description: Windows-specific patterns, security practices, and operational traps that cause silent failures. metadata: category: system skills: ["windows", "powershell", "security", "automation"]

Credential Management

  • Never hardcode passwords in scripts β€” use Windows Credential Manager:
  •   # Store
      cmdkey /generic:"MyService" /user:"admin" /pass:"secret"
      # Retrieve in script
      $cred = Get-StoredCredential -Target "MyService"
      
  • For scripts, use Get-Credential and export securely:
  •   $cred | Export-Clixml -Path "cred.xml"  # Encrypted to current user/machine
      $cred = Import-Clixml -Path "cred.xml"
      

    Silent Failures

  • Windows Defender silently quarantines downloaded scripts/executables β€” check quarantine if script disappears
  • Group Policy overrides local settings silently β€” gpresult /r to see what's actually applied
  • Antivirus real-time scanning blocks file operations intermittently β€” add exclusions for build/automation folders
  • PowerShell -ErrorAction SilentlyContinue hides problems β€” use Stop and handle explicitly
  • Symbolic Links

  • Creating symlinks requires admin OR SeCreateSymbolicLinkPrivilege β€” regular users fail silently
  • Enable Developer Mode for symlinks without admin: Settings β†’ For Developers β†’ Developer Mode
  • mklink is CMD-only, PowerShell uses New-Item -ItemType SymbolicLink
  • Script Signing

  • Unsigned scripts fail on restricted machines with confusing errors β€” sign for production:
  •   $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
      Set-AuthenticodeSignature -FilePath script.ps1 -Certificate $cert
      
  • AllSigned policy requires ALL scripts signed including profile.ps1
  • Operational Safety

  • Always -WhatIf first on destructive operations β€” Remove-Item -Recurse -WhatIf
  • Start-Transcript for audit trail β€” forgotten until incident investigation
  • NTFS permissions: icacls for CLI, but inheritance rules are non-obvious β€” test changes on copy first
  • WinRM Remoting

  • Enable correctly: Enable-PSRemoting -Force isn't enough on workgroups
  • Workgroup machines need TrustedHosts: Set-Item WSMan:\localhost\Client\TrustedHosts -Value "server1,server2"
  • HTTPS remoting needs certificate setup β€” HTTP sends credentials readable on network
  • Event Logging

  • Scripts should log to Windows Event Log for centralized monitoring:
  •   New-EventLog -LogName Application -Source "MyScript" -ErrorAction SilentlyContinue
      Write-EventLog -LogName Application -Source "MyScript" -EventId 1000 -Message "Started"
      
  • Custom event sources require admin to create β€” create during install, not runtime
  • File Locking

  • Windows locks files aggressively β€” test file access before operations:
  •   try { [IO.File]::OpenWrite($path).Close(); $true } catch { $false }
      
  • Scheduled tasks writing to same file as user β†’ conflicts. Use unique temp files and atomic rename
  • Temp File Hygiene

  • $env:TEMP fills silently β€” scripts should cleanup with try/finally:
  •   $tmp = New-TemporaryFile
      try { ... } finally { Remove-Item $tmp -Force }
      
  • Orphaned temp files accumulate across reboots β€” unlike Linux /tmp
  • Service Account Gotchas

  • Services run in different user context β€” $env:USERPROFILE points to system profile, not user's
  • Network access from SYSTEM account uses machine credentials β€” may fail where user succeeds
  • Mapped drives don't exist for services β€” use UNC paths \\server\share