Windows

Windows-specific patterns, security practices, and operational traps that cause silent failures.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "Windows" with this command: npx skills add ivangdavila/windows

Credential Management

  • Never hardcode passwords in scripts — use Windows Credential Manager: 
    # Store
cmdkey /generic:"MyService" /user:"admin" /pass:"secret"
# Retrieve in script
$cred = Get-StoredCredential -Target "MyService"
  • For scripts, use Get-Credential and export securely: 
    $cred | Export-Clixml -Path "cred.xml"  # Encrypted to current user/machine
$cred = Import-Clixml -Path "cred.xml"

Silent Failures

  • Windows Defender silently quarantines downloaded scripts/executables — check quarantine if script disappears
  • Group Policy overrides local settings silently — gpresult /r to see what's actually applied
  • Antivirus real-time scanning blocks file operations intermittently — add exclusions for build/automation folders
  • PowerShell -ErrorAction SilentlyContinue hides problems — use Stop and handle explicitly

Symbolic Links

  • Creating symlinks requires admin OR SeCreateSymbolicLinkPrivilege — regular users fail silently
  • Enable Developer Mode for symlinks without admin: Settings → For Developers → Developer Mode
  • mklink is CMD-only, PowerShell uses New-Item -ItemType SymbolicLink

Script Signing

  • Unsigned scripts fail on restricted machines with confusing errors — sign for production: 
    $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert
Set-AuthenticodeSignature -FilePath script.ps1 -Certificate $cert
  • AllSigned policy requires ALL scripts signed including profile.ps1

Operational Safety

  • Always -WhatIf first on destructive operations — Remove-Item -Recurse -WhatIf
  • Start-Transcript for audit trail — forgotten until incident investigation
  • NTFS permissions: icacls for CLI, but inheritance rules are non-obvious — test changes on copy first

WinRM Remoting

  • Enable correctly: Enable-PSRemoting -Force isn't enough on workgroups
  • Workgroup machines need TrustedHosts: Set-Item WSMan:\localhost\Client\TrustedHosts -Value "server1,server2"
  • HTTPS remoting needs certificate setup — HTTP sends credentials readable on network

Event Logging

  • Scripts should log to Windows Event Log for centralized monitoring: 
    New-EventLog -LogName Application -Source "MyScript" -ErrorAction SilentlyContinue
Write-EventLog -LogName Application -Source "MyScript" -EventId 1000 -Message "Started"
  • Custom event sources require admin to create — create during install, not runtime

File Locking

  • Windows locks files aggressively — test file access before operations: 
    try { [IO.File]::OpenWrite($path).Close(); $true } catch { $false }
  • Scheduled tasks writing to same file as user → conflicts. Use unique temp files and atomic rename

Temp File Hygiene

  • $env:TEMP fills silently — scripts should cleanup with try/finally: 
    $tmp = New-TemporaryFile
try { ... } finally { Remove-Item $tmp -Force }
  • Orphaned temp files accumulate across reboots — unlike Linux /tmp

Service Account Gotchas

  • Services run in different user context — $env:USERPROFILE points to system profile, not user's
  • Network access from SYSTEM account uses machine credentials — may fail where user succeeds
  • Mapped drives don't exist for services — use UNC paths \\server\share

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub