Windows

Warning: As of Sep 2021, seems like the OpenSSH implementation in Windows stores keys in the Windows Registry instead of RAM... seems dangerous. (update: open since 2019, till today Oct 2024).

• Enable OpenSSH: Apps > Optional Features > OpenSSH Client
• Enable OpenSSH authentication agent: Services > OpenSSH Authentication Agent
  • Add keys: ssh-add -t 86400 [PRIVATEKEY] (add key to agent with 1 day lifetime)
  • Clear keys: ssh-add -D

Problems, of course. SSH agent seems to have to query sshd? Can resolve by adding dummy sshd in admin prompt: sc.exe create sshd binPath=C:\Windows\System32\OpenSSH\ssh.exe. But ssh-add still fails to add the key with a timeout, even in admin prompt... Here's another caution for using Window's SSH agent. Mitigation can be as simple as clearing the keys every midnight.

On passphrase-encryption for private key: https://askubuntu.com/questions/346114/how-to-retrieve-passphrase-for-private-key

128-bit AES... So, assuming a strong password and highly parallel decryption (for instance using GPGPU) having 210 threads, each having a very optimistic rate of 230 operations per second, after a day of time, you could have run about 256 operations. With an effective complexity of around 2100, it would take about 3 billion years to break the key...

On known-plaintext attack on AES-128: https://crypto.stackexchange.com/questions/3952/is-it-possible-to-obtain-aes-128-key-from-a-known-ciphertext-plaintext-pair

No for practical definitions of possible, assuming the key was chosen truly randomly, and no side-channel information is available (such as the power-consumption traces of the encrypting device, or the time it took, for many encryptions). The design of AES strives to be such that the best way to find the key from plaintext-ciphertext examples is to try keys among the 2128 possible keys.

Note that brute force attacks are still viable if the passphrase is short.

Clear SSH agent: Clears the keys stored in ssh-agent every midnight. Resolves the problem of Window's port of OpenSSH agent caching the unencrypted private key in Windows Registry and not in RAM.

SSH keys that have too open permissions cannot be used for authenticating a session (this happens when the keyfile is kept on a shared drive, for example). Generally a valid concern, but mostly mitigated with a sufficiently complex passphrase for encrypting the private key. Alternatively, one can just change the permissions for the object directly:

change_permissions.bat

::# Set Key File Variable:
    Set Key="id_rsa"

::# Remove Inheritance:
    Icacls %Key% /c /t /Inheritance:d

::# Set Ownership to Owner:
    :: # Key's within %UserProfile%:
         Icacls %Key% /c /t /Grant %UserName%:F

    :: # Key's outside of %UserProfile%:
         TakeOwn /F %Key%
         Icacls %Key% /c /t /Grant:r %UserName%:F

::# Remove All Users, except for Owner:
    Icacls %Key% /c /t /Remove:g "Authenticated Users" BUILTIN\Administrators BUILTIN Everyone System Users

::# Verify:
    Icacls %Key%

::# Remove Variable:
    set "Key="

To copy the SSH key to a remote host, use the following command, and verify the remote host fingerprint using the `-o VisualHostKey=yes` flag:

$ cat ~/.ssh/id_rsa.pub | ssh [USER]@[HOST] "mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys" -o VisualHostKey=yes
The authenticity of host '[HOST] (fe80::1e69:7aff:fe6c:6927%10)' can't be established.
ECDSA key fingerprint is SHA256:V2ETP7Epl+pu+4SGyWpSVahZvQqECmyHnDgpZb5ZM0o.
+---[ECDSA 256]---+
| *oo   .   o=..  |
|=oB . . . o.o+ = |
|.oEo+. . + .o.B  |
| . =.o  + ...+ . |
|  +     So...    |
|        .o.+ .   |
|       .  + + .  |
|      . .. o..   |
|       o.  .oo.  |
+----[SHA256]-----+
Are you sure you want to continue connecting (yes/no/[fingerprint])?

This took a while to figure out. A couple of resources to start reading from:

• xplain: A series of articles explaining how X11 works, in terms of event handling and rasterization, among others. Interactive article!

# For Powershell
> $env:DISPLAY="127.0.0.1:0"

# For cmd
> set DISPLAY=127.0.0.1:0

# SSH commands
# Connecting to untrusted machine
> ssh -X
# Connecting to trusted machine
> ssh -Y

Optional Features: OpenSSH Server

More reliable method to go via CLI: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell

# Check installation status
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Do a localhost connection test to verify SSH working.

TightVNC is a fantastic option for VNC in Windows, relatively easy to set up too. Even better when layered over a mesh Tailscale network which can provide a direct node-to-node authentication/encryption layer, or using the SSH tunneling option, i.e. ssh -L 5903:USER@HOST:5900 USER@HOST to tunnel remote VNC port 5900 to local port 5903 (though you need to separately supply the route as well).

Only problem is when there is no active display registered in Windows, which VNC relies on to render display (probably to identify screen resolutions...?). Connecting to a laptop with the lid closed, for example, blacks out the display. This can be bypassed either with a dummy plug, e.g. Headless Ghost, or via another connection protocol, e.g. Teamviewer.

Examples of VNC clients include TightVNC Viewer, and VNC Viewer (supplied by RealVNC).

This article was rather helpful in pointing in the right direction. Started to face issues in getting a connection at all, but turns out it was mainly a syntax issue.

Start by installing WinFsp (FUSE-equivalent that installs a kernel driver as filesystem abstraction layer) and SSHFS-Win (SSHFS port for Windows). The SSHFS-Win-Manager recommended doesn't seem to work well in my case (plus plaintext password store, why?), so avoided that.

In the "Map Network Drive" interface, the syntax (had to find out from SO) follows, noting the / at the end due to my server being a Linux system:

\\sshfs\USER@HOST/

To unmap a drive, consider using: net use Z: /delete

Network drives mapped locally on-site is not automatically reflected in an SSH session - this is by design since mapped network drives are user-specific, see this comment for more intricacies.

To scp to/from a Windows remote, apply quotation marks to allow backslashes to be used, and have an overall quotation to escape these characters, e.g.

scp -r justin@192.168.1.100:"\"\"C:\Users\Justin\Desktop\projects\"\"" ~/projects

Note the -r may be necessary, otherwise a "protocol error: filename does not match request" error may be raised.

A selection of commands to list processes:

# List processes
tasklist
tasklist /fi "imagename eq notepad.exe"

# List process PID with associated TCP ports
netstat -ano -p tcp

# Kill tasks
taskkill /pid {{PID}}

The computer can be powered up from a low power mode via sending of a wake-on-lan magic packet. Several conditions must be met:

1. Wake-on-LAN enabled in motherboard BIOS
   • This effectively enables the motherboard to continuously supply power to the Ethernet card to listen for WoL packets.
   • The name of this option can vary between different manufacturers. For Gigabyte with Z690 chipset, this corresponds to "ErP: disabled" (ErP stands for "Energy-related Products", which is an European Union environmental directive, which requires devices be supplied less than 1W (or 0.5W? Online quotes are sketchy), effectively disabling WoL)
2. Wake-on-LAN enabled on Windows driver for Ethernet card
   • Wake on magic packet should be enabled in properties, and "This device can start the computer" + "Only magic packets can start" enabled under Power Management tab
3. Firewalls in internal network should not drop WoL packets (typically port 9)
   • This includes the device from which the outgoing WoL packet is sent
4. Windows should not perform a S4 hybrid shutdown transition
   • During hybrid shutdown, devices are kept in D3 mode and system is in S4 hybrid shutdown state. Something something Windows issues command to Ethernet card to disable WoL, but I'm honestly not sure what actually happens. See this article for more details.
   • Under Power Options, "Turn on fast startup" should be disabled to allow a full shutdown instead of this weird hybrid shutdown state. Sleep (S3) and hibernate (S4) states are also valid states to wake from. See this article for illustration.

Note that Windows Firewall probably does not need to open port 7 or 9 (common WoL ports)- WoL is a Layer 2 MAC protocol, and it enables the Ethernet card to trigger motherboard chipset to initiate start up, i.e. nothing actually happens at the OS level.

To send the magic packet itself from Linux, consider using the wakeonlan library.

> wakeonlan MY:MA:CA:DD:RE:SS

Note that both devices must be within the same subnet, since the WoL packet itself is broadcasted. To retrieve MAC address, use ipconfig /all.

Note also that the HDMI port needs to be connected to signal to the GPU/iGPU that there is a display to output to, so that connection to a display remotely can commence. Either keep the HDMI cable connected to a monitor, or use a dummy HDMI plug, e.g. Headless Ghost.

Windows has a native hypervisor appropriately called "Windows hypervisor".

Virtualization in Windows is an interesting topic. There are five separate virtualization-related features that can be enabled in Optional Features:

• Windows Hypervisor: Not an optional feature. This is Microsoft's Type-1 hypervisor, available in all editions of Windows.
• Hyper-V Platform: This is a client to Windows hypervisor, that sits under Windows. When enabled, the Windows host itself will be deployed as a virtual machine, which then will require the nested virtualization feature enabled to run nested virtual machines. On non-Home platforms, the optional feature Hyper-V allows management of virtual machines running on Windows Hypervisor through the Hyper-V platform.
• Windows Hypervisor Platform (WHP): Provides an API for third-party applications to allow use of the Windows Hypervisor for virtualization, e.g. VirtualBox, Docker.
• Virtual Machine Platform (VMP): Provides similar virtualization services (but is undocumented by Microsoft, not the Hyper-V hypervisor itself), and is an internal requirement for Windows Subsystem for Linux (WSL).
• Windows Sandbox: Not really a virtualization platform as much as it is a jail/sandbox. As of Windows 11 Build 22509, state preservation is possible if restarts initiated from within system itself.

Note that for Windows 11, the Windows hypervisor must be used for any virtualization, instead of third-party hypervisors.

Probably need to read up more on native virtualization instructions as well, e.g. Intel VT-x and AMD-V.

Windows can be installed without a license (activation reminders will start randomly appearing after 30 days of non-activation) - for licensing in VM environment, there seems to be some specific enterprise license for it. A quick PSA that using unactivated Windows is not illegal, but activating Windows through unofficial channels is illegal.

To obtain the Windows ISO, there are many many methods:

1. Direct download from Microsoft consumer-facing website. Note that for Windows 11, there is a TPM2.0 requirement which your hypervisor will need to fulfill (VMware Workstation supports TPM, VMware Player however does not).
2. Download from Microsoft build servers via UUP Dump. This method provides scripts to download from individual Windows development channels (i.e. Public, Release, Beta, Dev).
3. Download through MediaCreationTool (Windows official deployment software) using AveYo's wrapper script. Works by passing appropriate command line flags. For Windows 11, this has additional script embedding to disable TPM checks.
4. Download using Rufus. Version of Rufus must be 3.6 and above, and if download button does not appear, clear rufus.ini.

If using Rufus to write to a bootable disk, TPM can also be disabled as well.

See documentation for configuration variables.

Personally haven't got this to work for just any application on a native level yet, intended use was for gaming within sandbox. See configuration below:

config.wsb

<!-- 
  Windows Sandbox configuration file
  https://docs.microsoft.com/en-us/windows/security/
    threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file
-->
<Configuration>
 
  <!-- Utilities -->
  <Networking>Disable</Networking>
  <AudioInput>Disable</AudioInput>
  <VideoInput>Disable</VideoInput>
  <vGPU>Enable</vGPU>
  <MemoryInMB>8000</MemoryInMB>
 
  <!-- Volumes -->
  <MappedFolders>
    <MappedFolder>
      <HostFolder>Z:\</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Shared</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>explorer.exe C:\Users\WDAGUtilityAccount\Desktop\Shared</Command>
  </LogonCommand>
 
  <!-- Security -->
  <ProtectedClient>Enable</ProtectedClient>
  <PrinterRedirection>Disable</PrinterRedirection>
  <ClipboardRedirection>Disable</ClipboardRedirection>
 
</Configuration>

On Windows Pro platforms, Hyper-V can be used to run virtual machines. Enable Hyper-V in the Optional Features dialog, then create a new VM. Note when prompted to press any key to boot from CD/DVD, do so.

If you're looking to use GPU passthrough (known as Direct Device Access (DDA) in Microsoft lingo), currently needs Server editions of Windows, see this comment. Here's a possible guide for a setup with AMD Threadripper. There used to be a RemoteFX interface by Microsoft, but it got removed due to vulnerabilities.

Another interface called GPU Partitioning (GPU-P) on the other hand is possible, although very much undocumented by Microsoft, and it works even before Nvidia's GPU passthrough enablement announcement. See this article (and a similar Reddit post, reproduced below for longevity:

add_gpu_drivers.ps1

# Run this in host OS
$vm = "windowsvm"
 
Add-VMGpuPartitionAdapter -VMName $vm
Set-VMGpuPartitionAdapter -VMName $vm -MinPartitionVRAM 80000000 -MaxPartitionVRAM 100000000 -OptimalPartitionVRAM 100000000 -MinPartitionEncode 80000000 -MaxPartitionEncode 100000000 -OptimalPartitionEncode 100000000 -MinPartitionDecode 80000000 -MaxPartitionDecode 100000000 -OptimalPartitionDecode 100000000 -MinPartitionCompute 80000000 -MaxPartitionCompute 100000000 -OptimalPartitionCompute 100000000
 
Set-VM -GuestControlledCacheTypes $true -VMName $vm
Set-VM -LowMemoryMappedIoSpace 1Gb -VMName $vm
Set-VM –HighMemoryMappedIoSpace 32GB –VMName $vm
 
# With the VM running, copy the following files:
# - C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_*
#   --> C:\Windows\System32\HostedDriverStore\FileRepository\
# - C:\Windows\System32\nv*
#   --> C:\Windows\System32\
#
# If using command line, Guest Services must be enabled for guest OS
Copy-VMFile "windowsvm" -SourcePath "C:\Windows\System32\nvapi64.dll" -DestinationPath "C:\nvapi64.dll" -CreateFullPath -FileSource Host

Checkpoints need to be disabled, otherwise this dialog pops up:

For audio output, route using VB Audio Cable.

If still failing with Code 43 error, try this one for size: https://github.com/jamesstringerparsec/Easy-GPU-PV Notably uses Parsec for streaming instead, mentioning that Hyper-V and RDP methods will only offer up to 30 FPS, while Parsec offers 4K60FPS. To check current Windows build, go to Settings > System > About.

Add the following to Parsec config to allow resolution changes as well:

C:\ProgramData\Parsec\config

host_virtual_monitors = 1
host_privacy_mode = 1

If full GPU passthrough needed, use another hypervisor like ESXi (see ESXi free limitations) or Proxmox (KVM\libvirt) instead, or start with a Linux host (see guides here and here.

A compiled list of programs that may find common usage, updated as of 2022-07-24. Common programs are typically available through Ninite:

Initial configuration for Windows:

1. Machine:
   • Activate Windows / Login into Microsoft account (for digital licensing)
   • Sync time to NTP server and adjust timezone
   • Rename PC (restart required)
   • Repeatedly prompt Windows Update for updates + restart until nothing else to install
     • Need to manually click on the "Check for updates" button
     • Install optional/missing drivers (including motherboard/chipset drivers through their management interface)
   • Enable BitLocker for drive encryption
   • Disable unused startup services
2. UI customization:
   • Hide unnecessary stuff in the toolbar
   • Toolbar to the left
   • Configure File Explorer:
     • Enable hidden files and file extensions
     • Disable "Show recently used files/folders"
     • Disable navigation pane "Expand to open folder"
   • Create a convenience PATH folder within Documents and add to environment variables
   • Customize taskbar pinned apps
3. Authentication:
   • Map network drives
   • Create scheduled task to clear SSH keys
   • Create ed25519 private key + copy to remote authorized keys
   • Add hosts to SSH config file
   • Configure Powershell:
     • Change Powershell remote execution policy: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
     • Create Powershell profile: $Home\Documents\WindowsPowerShell\Profile.ps1 (exact parent directories might differ)
4. Optional features:
   • Disable Microsoft XPS document writer
   • Enable Windows Subsystem for Linux (WSL) + Virtual Machine Platform (VMP)
     • As easy as wsl --update and wsl --install -d Ubuntu-22.04
   • Enable Windows Sandbox
5. Stress test PC:
   • Monitor temperatures during stress test, e.g. CoreTemp with Cinebench R23
   • System monitoring with HWiNFO (overall system with logging), CoreTemp (core temperatures alone with logging), GPU-Z (GPU logging)

If strange entries (e.g. "Program") appear in Task Manager, check where the trigger is located Startup Type, and what location is it pointing to Command line. Source. Possible locations:

Registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry: HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Folder: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup

Shame on you, Microsoft Teams.

• https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-installation-process?view=windows-11
• https://www.windowscentral.com/how-create-unattended-media-do-automated-installation-windows-10

route -4 print  # metric is a cost function
route add [SUBNET] mask [MASK] [GATEWAY_IP] metric [REL_METRIC]
route delete [SUBNET]

• For an example: https://superuser.com/questions/347534/ssh-server-cant-be-connected-to-when-vpn-is-turned-on

• In a CG-NAT setup, when the connection between the routers is interrupted, Windows will somehow become unable to reach the outermost internal network. This problem does not occur on Ubuntu. Fix is a restart.

Identify open ports and figuring out which PIDs have accessed them:

netstat -aon | grep LISTENING

then cross-compare with the PID numbers of applications in Task Manager > Details.

• https://www.reddit.com/r/Windows10/comments/fapcuy/using_gpu_during_remote_desktop/