windows

Credential Management

• Never hardcode passwords in scripts — use Windows Credential Manager: powershell # Store cmdkey /generic:"MyService" /user:"admin" /pass:"secret" # Retrieve in script $cred = Get-StoredCredential -Target "MyService"
• For scripts, use Get-Credential and export securely: powershell $cred | Export-Clixml -Path "cred.xml" # Encrypted to current user/machine $cred = Import-Clixml -Path "cred.xml"

Silent Failures

• Windows Defender silently quarantines downloaded scripts/executables — check quarantine if script disappears
• Group Policy overrides local settings silently — gpresult /r to see what's actually applied
• Antivirus real-time scanning blocks file operations intermittently — add exclusions for build/automation folders
• PowerShell -ErrorAction SilentlyContinue hides problems — use Stop and handle explicitly

Symbolic Links

• Creating symlinks requires admin OR SeCreateSymbolicLinkPrivilege — regular users fail silently
• Enable Developer Mode for symlinks without admin: Settings → For Developers → Developer Mode
• mklink is CMD-only, PowerShell uses New-Item -ItemType SymbolicLink

Script Signing

• Unsigned scripts fail on restricted machines with confusing errors — sign for production: powershell $cert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert Set-AuthenticodeSignature -FilePath script.ps1 -Certificate $cert
• AllSigned policy requires ALL scripts signed including profile.ps1

Operational Safety

• Always -WhatIf first on destructive operations — Remove-Item -Recurse -WhatIf
• Start-Transcript for audit trail — forgotten until incident investigation
• NTFS permissions: icacls for CLI, but inheritance rules are non-obvious — test changes on copy first

WinRM Remoting

• Enable correctly: Enable-PSRemoting -Force isn't enough on workgroups
• Workgroup machines need TrustedHosts: Set-Item WSMan:localhostClientTrustedHosts -Value "server1,server2"
• HTTPS remoting needs certificate setup — HTTP sends credentials readable on network

Event Logging

• Scripts should log to Windows Event Log for centralized monitoring: powershell New-EventLog -LogName Application -Source "MyScript" -ErrorAction SilentlyContinue Write-EventLog -LogName Application -Source "MyScript" -EventId 1000 -Message "Started"
• Custom event sources require admin to create — create during install, not runtime

File Locking

• Windows locks files aggressively — test file access before operations: powershell try { [IO.File]::OpenWrite($path).Close(); $true } catch { $false }
• Scheduled tasks writing to same file as user → conflicts. Use unique temp files and atomic rename

Temp File Hygiene

• $env:TEMP fills silently — scripts should cleanup with try/finally: powershell $tmp = New-TemporaryFile try { ... } finally { Remove-Item $tmp -Force }
• Orphaned temp files accumulate across reboots — unlike Linux /tmp

Service Account Gotchas

• Services run in different user context — $env:USERPROFILE points to system profile, not user's
• Network access from SYSTEM account uses machine credentials — may fail where user succeeds
• Mapped drives don't exist for services — use UNC paths \servershare