How to Optimize Windows 10 for Security and Comfort: Step-by-Step Guide

By Ava McKinneyOnline Safety

Optimize Your Windows 10! Configuring Windows 10 for Safe and Comfortable Use

Over the years, Windows has evolved from a graphical shell for MS-DOS to a client interface for Microsoft’s cloud services. While it may never become a fully independent operating system, with some deep tweaks, you can make it a bit more secure and less unpredictable.

Before experimenting with the registry and system services, it’s highly recommended to create a restore point—or even better, make a full backup of your system partition.

Backing Up the Registry

One way to back up the registry is to use the REG EXPORT command in the console:

reg export HKLM hklm_backup.reg

This command creates a file named hklm_backup.reg with all the information from the HKEY_LOCAL_MACHINE branch. Repeat this for other registry branches as needed. You can also back up individual keys before making changes. If something goes wrong, you can always roll back by running the .reg file.

Gaining Access to the Registry

There are dozens of system tweaker programs out there, but most of their features boil down to three things:

  • Changing specific registry keys
  • Stopping unnecessary services
  • Adding or removing scheduled tasks

These procedures are often interconnected. For example, a running service may prevent you from deleting its registry key or may automatically restore a canceled scheduled task. Let’s look at each task in detail, going beyond standard recommendations.

Getting access to the registry is a particular challenge in newer versions of Windows, especially Windows 10. By default, even administrators can’t change values in many registry branches or delete files at will. The SYSTEM account has more privileges than any admin account. To fix this, you need to take ownership of the object (registry key, file, or folder) and then assign yourself access rights.

Method 1: Using regedit

This method doesn’t require any additional software. Simply run regedit as an administrator, select the desired key, right-click, and choose “Permissions.” Change the owner and set the necessary permissions.

Method 2: Using the Built-in SubInACL Utility

Download SubInACL from Microsoft’s website. Even though Windows 10 isn’t listed as supported, it works. Copy SubInACL.exe to %Windir%\System32\ for convenience. To use it, specify the object name, type, and desired action. For example:

SUBINACL /keyreg "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger" /setowner=XTester /grant=XTester=f

Replace XTester with your account name. To unlock the entire registry, use:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=XTester=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=XTester=f

You can also take ownership of all files and folders on a drive:

subinacl /subdirectories %SystemDrive% /grant=XTester=f

Method 3: Using the Free SetACL Utility

Download and extract SetACL, then copy SetACL.exe to %Windir%\System32. Run the console as admin and use commands like:

SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger" -ot reg -actn setowner -ownr "n:XTester"
SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger" -ot reg -actn ace -ace "n:XTester;p:full"

Once you have access, you can start modifying the registry as needed.

Disabling Cortana

Cortana is deeply integrated into Windows 10, with many registry entries. After unlocking the registry, you can disable Cortana with these commands (save as a .bat or .cmd file):

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f

Disabling Data Collection

Windows 10 sends gigabytes of “diagnostic” data to Microsoft, which may include confidential information. To stop this:

    1. Stop background services via services.msc or the console:
net stop DiagTrack
sc config DiagTrack start=disabled
net stop dmwappushservice
sc config dmwappushservice start=disabled
    1. Similarly, stop and disable these services:
      • diagnosticshub.standardcollector.service
      • DcpSvc
      • WerSvc
      • PcaSvc
      • DoSvc
      • WMPNetworkSvc
    2. Modify the registry with these commands:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient" /v "CorporateSQMURL" /t REG_SZ /d "0.0.0.0" /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "Enablelogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "EnableUpload" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v "NoExplicitFeedback" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f

Save these as a script and comment out any lines you don’t need for your specific computer.

Disabling Unsafe Services

Some Windows 10 services are known to create security holes. Stop and disable them using net stop and sc config:

  • RemoteRegistry
  • TermService
  • TrkWks
  • DPS

If you’re on a desktop, also disable mobile sensor services:

  • SensorDataService
  • SensorService
  • SensrSvc

If you don’t use Xbox, disable these:

  • XblAuthManager
  • XblGameSave
  • XboxNetApiSvc

Optionally, disable Remote Assistance via the registry:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f

To disable administrative shares:

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f

Setting Automatic Pagefile Cleanup

To prevent password and confidential data leaks, set Windows to clear the pagefile at shutdown:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f

Disabling Autorun from Removable Media

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f

Clearing History

To disable saving lists of recently opened files:

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\FileHistory" /v "Disabled" /t REG_DWORD /d 1 /f

To disable search history:

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f

To disable app history:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD

Removing Preinstalled Apps

To remove built-in Windows 10 components, first kill the app’s process, then uninstall it. For example, to remove OneDrive:

taskkill /f /im OneDrive.exe
start %SystemRoot%\System32\OneDriveSetup.exe /uninstall

Setting Up Automatic Restore Point Creation

You can automate restore point creation using the WMI command-line utility. Set up System Restore once, then create a batch file with:

Wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "%DATE%", 100, 1

Add it to Task Scheduler to run on your chosen schedule.

God Mode (Quick Access to All Settings)

Many Windows 10 settings are buried deep in menus. For quick access, create a new folder on your desktop with the name:

AnythingYouWant.{ED7BA470-8E54-465E-825C-99712043E01C}

The folder icon will change, and clicking it will show a list of over 200 settings in alphabetical order.

Disabling Automatic Updates

To stop Windows from installing updates automatically, use the registry:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DODownloadMode" /t REG_DWORD /d 0 /f

This allows you to install updates manually when you choose.

Removing Scheduled Telemetry Tasks

Telemetry tasks are found in sections like “Customer Experience,” “Cloud Experience,” “App Statistics,” “File Statistics,” “Disk Diagnostics,” “Power Efficiency Diagnostics,” “Family Safety Monitor,” and more. Use schtasks to stop and disable them. For example:

schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable

Other telemetry tasks include:

  • Microsoft\Windows\AppID\SmartScreenSpecific
  • Microsoft\Windows\Application Experience\AitAgent
  • Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
  • Microsoft\Windows\Application Experience\ProgramDataUpdater
  • Microsoft\Windows\Application Experience\StartupAppTask
  • Microsoft\Windows\Autochk\Proxy
  • Microsoft\Windows\CloudExperienceHost\CreateObjectTask
  • Microsoft\Windows\Customer Experience Improvement Program\Consolidator
  • Microsoft\Windows\Customer Experience Improvement Program\BthSQM
  • Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask
  • Microsoft\Windows\Customer Experience Improvement Program\UsbCeip
  • Microsoft\Windows\Customer Experience Improvement Program\Uploader
  • Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector
  • Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver
  • Microsoft\Windows\DiskFootprint\Diagnostics
  • Microsoft\Windows\FileHistory\File History (maintenance mode)
  • Microsoft\Windows\Maintenance\WinSAT
  • Microsoft\Windows\NetTrace\GatherNetworkInfo
  • Microsoft\Windows\PI\Sqm-Tasks
  • Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem
  • Microsoft\Windows\Shell\FamilySafetyMonitor
  • Microsoft\Windows\Shell\FamilySafetyRefresh
  • Microsoft\Windows\Shell\FamilySafetyUpload
  • Microsoft\Windows\Windows Error Reporting\QueueReporting

Conclusion

There are many programs online that promise to “improve Windows performance,” but they usually act as black boxes, making unknown changes. All their functions can be replaced with a set of batch scripts as described in this article.

Creating your own set of scripts may take some effort, but only once. After that, everything can run on a schedule (via Task Scheduler) or on demand with a single click. Most importantly, you’ll always know exactly what’s being changed in the registry and system services. Plus, working in the console will deepen your knowledge of Windows 10 and help you perform similar tasks anywhere.

Leave a Reply