Where Angels Fear
11 min readApr 7, 2020


I have not much shy of forty years of experience of IT (I started very young).

From application programming, driver development, by way of specialising in firmware and hardware, networking and storage technologies, multimedia applications development, Computer Based Training development, web development and management, information architecture, UX/UI design, systems administration, systems integration, project management … you name it and it’s pretty much certain that, at one stage or other in my life/career, I did it professionally and as a hobby.

That’s just shy of forty years of screwing myself over with one tweak too far, one registry hack too many, ‘fixing’ it until it broke time and time again … and had to completely rebuild both hardware and OS from the ground up.

And I haven’t only lost data, merely destroyed harddrives, just fried graphics cards and/or monitors, nor even simply irreparably trashed server BIOSes in my pursuit of systems tailored to my needs/desires … I’ve literally set things on fire!

So, believe me, when I say Windows 10 is the biggest pile of manure yet — in many ways, worse even than Win95!

The more I investigate, the clearer it becomes how poorly managed Microsoft is.

Even in Win 10 Pro, it’s still the case that, if you want a logoff script to actually complete, you don’t add it to the logoff scripts as a Group Policy Object but create a task in the scheduler that runs on session disconnect.

Why has that still not been resolved?

Because it works without having to re-engineer old code to function properly.

But even that’s no guarantee of success …

Take a Win10 Pro system.

Create a logoff.cmd script stored in the default \Windows\System32\GroupPolicy\Machine\Scripts\Shutdown folder, containing the following three lines:

netsh interface set interface “WiFi” disabled

netsh wlan delete profile name=”Network Name”

taskkill /F /IM application.exe

If you run it (as an administrator) then it completes — it kills the application, thus proving that it executes to the end of the script.

Subsequently, there are no network connections available and you’re directed to the Network & Internet settings, if you want to connect to a wireless network.

So, it’s executing the first line correctly and disabling the adapter.

But, if you re-enable the network adapter and connect, it doesn’t re-order the available network list, nor does it request the network security key.

So, it isn’t successfully executing the second line and forgetting the network.

If you re-order the first two lines, it still completes successfully, killing the application and still successfully disabling the adapter.

So, it’s not the execution order that’s the problem.

However, if you execute the second line ‘by hand’ from an elevated command prompt, subsequently, when attempting to connect, it has forgotten the network and demands the security key!

You try running the script file as a scheduled task instead of a GPO, triggered on local disconnect from any user session, with the highest privileges, both as the directly affected user (in the Administrators group) and as the SYSTEM ‘user’ … both whether the user is logged on or not and only when logged in … and it makes no difference either way — so, it doesn’t seem to be a user permissions elevation issue either.

You think and think and think … have a brainwave and solve the problem: weirdly, even if you weren’t connected to the network to start with, you still have to execute a netsh wlan disconnect command first, if you want it to forget the network.

Now you just need to figure out why:

  1. running the script directly works;

2. running the task works, but keeps displaying ‘running’ status;

3. it completes, but doesn’t even disconnect, never mind disable the adapter, after a simple logoff — the scheduler doesn’t seem to execute the disconnect command in time.

You try adding a scheduled task … run with the highest privileges … as SYSTEM … whether the user is logged on or not … triggered by a Microsoft-Windows-Security log event (source: Security-Audit-Configuration-Client, Event ID: 4647) … both as a basic task and a custom filter — after all, for that event to be registered and logged, it all has to happen before the logout event prevents that process from completing … so, you’d expect it to trigger the script in time, right?

No dice … when you log back in, you’re still connected — what’s really weird is that disabling the NIC works fine … and you’d expect that to take longer than simply disconnecting.

You think and think some more and have another brainwave.

In the LGPE Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/Logoff\Audit Logoff\Properties\Explain tab, it is claimed that if the policy is not configured then no audit event is generated when a logon session is closed.

But you already know from your peek into the Event Viewer (Local)\Windows Logs\System, in which you filtered the list of current log event IDs by ‘4647’ … and saw all the logoff events for whatever your default logging timeframe is … with the Keywords value of ‘Audit Success’ there for all interested sysadmins to see … that that particular ‘help file’ entry is utter bollox.

So, clearly, MS need to get off their arses and either:

1. sack whoever is responsible for not having had the documentation updated in FIVE YEARS!

2. talk to the engineers and ascertain whether even one of them has even the least f**king clue how the OS they developed actually f**king works … or whether Windows 10 is a hobby they work on ad hoc in their spare time, when they’re not doing their day job (Server/AD/Azure whatever) — in which case, fair enough, it’s understandable that it should be a complete f**king mess of bolted on parts that only work together by accident (if at all) … because there’s no actual strategy behind it! ¹

Windows 10 is no more than the Fisher-Price version of WinNT4/Win2K.

The problem is … and I don’t know if you’ve noticed this … over the last couple of years, it has increasingly become the case that web searches don’t simply return low quality results but barely return any results at all — it doesn’t matter how you re-word your query, what you get is page after page of links to the same four-to-eight results, just with a different accompanying text snippet and/or more (or less) fully formed URI.

So, if you don’t already know the answer, you’re increasingly unlikely ever to do so … meaning that the Management’s acceptance of the devs’ bland assurances that “everyone knows the workaround, so we don’t need to fix it” is a sad indictment of the quality of their management!

There’s no such thing is Windows ‘Pro’ any more either.

It’s aimed at entrepreneurs/self-employed/creatives and other people who “Have laptop. Will travel” — people with a need for the extra security of FDE (Bitlocker) and the facility to demo their new tech offering to clients (so, virtualisation is useful to them) … but no need for the corporate features of ‘Enterprise’ (they’ll almost certainly never connect to an AD as anything more than a guest).

It’s really little more than ‘Home Plus’ … or ‘Windows Small Business (That Can’t Afford An Enterprise Licence) Edition’

For instance …

In the Enterprise and Education editions, as part of the branding options, you can remove access to the assistive technology feature on the lock and sign-in screens

In Pro, you can disable it as a side-effect of editing the permissions of the executable, so that it doesn’t execute when anyone in the Everyone group tries to launch it … but you can’t remove the icon from the screens — you can add the necessary registry entry to disable it, but it will be ignored by Home and Pro editions.

It’s an utterly needless restriction, especially given that equality/anti-discrimination legislation means that the two places you are not going to disable it are in business and education environments!

But, there you go, you see … you might be a professional, but you’re not professional enough to need more actual control over your device than a Home user — features (Bitlocker/HyperV/etc.), sure … but not control.

Even Android gives you more control than Mac OSX or Win10!!!

I mean … Edge won’t even let you save a webpage!

What’s more …

Even leaving aside the dumbing down, whereby more and more features are removed with every update … meaning that Pro is now basically just Home with Hyper V and BitLocker … the desktop employee version … (they’ll be removing GPEdit/SecPol next, you just watch) … and the only ‘power’ users there will be in future will be corporate dogsbodies in the IT Dept. performing authorised tasks only, not actual power users as we have known them until now … who won’t understand the underlying principles any better than a Mac user

Even leaving aside the atrocious Ul … ( I don’t think anyone there has ever needed to worry whether their autocorrect recognises misspellings of ‘ergonomics’ … because they’ve never thought of writing the word themselves) …

The UX is appalling. There’s neither rhyme nor reason to where stuff is … just the bolted on ideas of whichever hobbyist thought they’d develop some feature the users might like in their spare time when they weren’t working on their day job.

MS (and Windows) have turned into the worst-of-both-worlds-bastard-offspring of Google and Apple: all of Google’s slurp with all of Apple’s dumbasses-in-the-Pretty-Crayons-Department demographic.

Linux has been slowly going the same way for years now too; before very very much longer (say ten years or so), the only way there’ll be to get hands-on control of it will be to have rich parents and roll your own Linux From Scratch — because, unless you’re so wealthy the only ‘job’ you’ll ever need will be the sinecure position in the family business, the only way you’ll have to keep on top of all the CVEs will be to do absolutely nothing else all day, every day!


I’ll look into timers … I really don’t want to put the shutdown in the script, if I can avoid it: it’s a clunky workaround that I’m trying not to resort to … not least because I can’t be certain there’s a way to remove the Power ‘button’ from the Start menu at all, let alone that is guaranteed not to glitch out randomly ² — besides which, I shouldn’t have to!


Got the f**ker!

Separate the commands out into individual scripts and put them in the LGPE \User Configuration\Windows Settings\Scripts\Logon/Logoff\Logoff entry.

No, it makes no sense that a system-wide process that is to be carried out independently of which user is concerned or whether they are logged on or not should be applied not to the system but to user-settings, but there you go, at least it works, and, instead, today’s takehome from my sojourns into the world of mental midgets is the fact that I can’t create a script to perform a long task and have it execute on shutdown, but not restart.

There’s no way to differentiate between the two via the LGPE Local Computer Policy\Computer Configuration\Windows Settings\Scripts\Startup/Shutdown\Shutdown entry.

You can create a task in the Scheduler that will trigger on the event Log: System, Source: User32, Event ID: 1074 … but that doesn’t differentiate between a shutdown and a restart either.

And the official documentation on the WM_QUERYENDSESSION message states that the message is sent when either a user or an application calls one of the system shutdown functions, but the lParam parameter takes a value of ‘0’ (zero) if the system is shutting down or restarting and it is not possible to differentiate between the two — so, there goes any hope of intercepting it and acting upon it appropriately from within a shutdown script.


This is Windows 10!

Think about that.

Ten versions later and it still doesn’t offer basic differentiation between fundamental values at a system level.

Well, if you can pass a value to the kernel to tell it to reboot rather than shutdown, why the f**k can’t you query what that value is!?

Jesus wept!

¹ Spend any time on the Microsoft support sites and forums and you’ll pretty quickly notice that none of the support engineers has a clue … citing solutions and references that were superceded by an update two or more years before they supplied their ‘solution’ to a user’s problem. Besides which, even when they do have more recent information available … that is applicable to the version in question and not an altogether different one … updates regularly undo the tweaks you make (both by hand and with tools) … sometimes even rendering them completely ineffective afterwards, even if you re-apply them (which is pretty impressive given the move from the monthly ‘Patch Tuesday’ releases to a biannual upgrade cycle … to give the developers time to test things before releasing them and make sure they work).

² The chances of my being able to replace the Power button are laughably small, I suspect — not without some dodgy registry hack anyway ³.

³ And the days when I got excited about successfully tweaking registry settings … to make an operating system I f**king PAID FOR do what I want it to do rather than what some halfwit decided is more than sufficient for my needs in their opinion … after three days of trial, error, freeze, crash, refuse to boot, re-install, start again … are long since past — so, I’m not holding my breath, because I’M NOT GOING THERE!

⁴ These days, when I wanna geek out, I do it in Linux … where things do as they’re told, how they’re told, when they’re told and nothing else!

⁵ If they don’t, it’s because you got it wrong, not some random asshat developer with an entirely inordinately high opinion of their own abilities thanks to their record-breaking Dunning-Kruger affliction.



Where Angels Fear

There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live and too rare to die.