๐ธ Alien-grade post-install automation for Windows deployments
Automate. Harden. Customize.
A PowerShell script for paranoid sysadmins, red teamers & sovereign devs.
Windows, your way โ not from Earth. Definitely not from Redmond.
Click to collapse/expand
WinPostInstall is a modular and stealthy PowerShell script that fully automates post-installation on Windows systems.
Originally developed on Windows 11 and tested across several setups, it's meant to reproduce my ideal system setup in a single run: hardened, minimal, themed, tooled, and private.
โ๏ธ Note: This script is under active development โ not production-grade yet. Treat it as a strong baseline and expect regular improvements.
It leans on native PowerShell, WinGet, Store integration, optional EXE packages, and WSL tooling โ and thus should work on a wide range of modern Windows versions. Only Windows 11 is officially supported for now.
โ ๏ธ Issues on other versions? PRs and reports are welcome.
Crafted for red teamers, sysadmins, and aliens who expect more than Windows-as-a-service.
- โ๏ธ Hardened, secure, and reproducible setup โ built around privacy, performance, and minimalism.
- ๐ Fully themed dark UI and terminal.
- ๐ Secure by default: disables legacy components, noisy services, and telemetry.
- ๐ ๏ธ Dev & Ops ready:
- Oh-My-Posh + Powerlevel10k
- Custom aliases, plugins, and shell tuning
- WSL2, Exegol, and full offensive toolchains
Your machine, your rules. Hardened, stripped, elegant.
โก๏ธ A fully optimized, secured, and ready-to-use Windows system โ zero manual tweaks needed.
Because Iโm detail-obsessed (some say perfectionist โ I say precise), every aspect must match: appearance, usability, performance, privacy, and security.
I built this script to get the exact system I need โ consistently, efficiently, and silently.
This script ensures your machine is:
- ๐ก๏ธ Hardened against telemetry and common APT tradecraft.
- ๐งน Purged of bloatware, spyware, and corporate-grade nonsense.
- ๐งฐ Preloaded with hundreds of curated tools (WinGet, Store, direct EXEs).
- ๐จ Themed with clean dark UI, shell, and wallpapers.
- ๐งฌ Ready for offensive security, reverse engineering, dev, and automation.
All of that โ with sarcasm, emojis, and APT-style stealth. โจ
- ๐ฆ System Configuration
- โ Set custom computer name
- โ Set computer description
- โ Define OEM information
- โ Set workgroup
- โ Configure multi-monitor display (extend bottom-top)
- โ Apply power settings
- โ Pin drives C:\ and A:\ to Start Menu
- โ Disable Fast Startup
- โ Set system clock to UTC
- โ Show file extensions
- โ Show hidden files
- โ Disable Recent Files and Frequent Folders
- โ Show super hidden files
- โ Enable God Mode folder
- โ Enable NumLock by default on boot
- ๐งฐ Windows Tweaks
- โ Disable Telemetry
- โ Disable Content Delivery Manager
- โ Apply performance and privacy optimizations
- โ Optimize NTFS file system parameters
- โ Optimize system performance settings
- ๐จ Wallpaper & UI
- โ Copy wallpapers to C:\Wallpapers
- โ Set a specific image as desktop background
- โ Enable Dark Theme
- โ Show accent color on Start/Taskbar
- ๐ Basic Security Hardening
- โ Disable unnecessary services (e.g., Xbox, Telemetry, RemoteRegistry, etc.)
- โ Disable scheduled tasks tied to CEIP, SmartScreen, Xbox, Maps, etc.
- โ Remove preinstalled bloatware and OEM packages (e.g., Candy Crush, OneConnect, Skype, Flipboard)
- โ Disable optional Windows features like Internet Printing, PDF Print, SMB Direct, WorkFolders, RDC
- ๐ฆ Core Applications Installation
- โฌ Microsoft Store apps by Name:
- Tools like EarTrumpet, Lively Wallpaper, ModernFlyouts, MSI Center, Copilot, FxSound, etc.
- โฌ Microsoft Store apps by ID:
- Afterburner, ModernFlyouts, etc.
- โฌ Winget Applications:
- Browsers: Firefox (stable & dev), Brave, Opera GX, Mullvad Browser, Tor Browser
- Languages: Go, Java JRE/JDK, Python, Rust (+ toolchains), Node.js
- Security: Burp Suite, IDA Free, WireGuard, Wireshark, VeraCrypt, KeePassXC, Sysinternals Suite, Nmap
- Dev tools: Visual Studio 2022/2019 Build Tools, Git, GitLFS, Terraform, Vagrant, Docker, Kubernetes, VSCode (Codium), Chocolatey, Notepad++, Anki, Sublime Text
- Privacy tools: ProtonMail, ProtonVPN, Signal, OnionShare
- Creative tools: OBS Studio, GIMP, Pinta, Krita, DaVinci Resolve (optional)
- Media & utilities: VLC, Audacity, ShareX, 7zip, WinDirStat, BleachBit, RSS readers
- Reverse engineering: dnSpy, PE-bear, Rizin Cutter
- Gaming & launchers: Steam, Epic Games, Ubisoft, Minecraft Launcher, Valorant
- Office & productivity: LibreOffice, Microsoft Office, Logseq, Obsidian
- Extras: REAPER, Discord, Telegram, TeamViewer, AutoHotkey, PowerToys, ExifTool
- ๐ Executable Installations:
- Run offline .exe files like Ankama Launcher, OfficeSetup, wsl_update_x64.msi
- โฌ Microsoft Store apps by Name:
- ๐ Path Variable Management:
- Add useful dev/security tool directories to the system PATH
- ๐ก๏ธ Advanced Security Hardening
- Execute and audit HardeningKitty configuration baseline
- Apply custom Windows Firewall hardening
- Enable key Windows Defender features:
- Exploit Protection
- Controlled Folder Access
- ASR (Attack Surface Reduction) rules
- Real-time protection, cloud MAPS, Defender signature updates
- Threat scanning and remediation
- Enable Virtualization-based Security (VBS) features
- Enable WDAC (Windows Defender Application Control)
- Refresh Group Policies & WSUS
- ๐งฌ Environment Setup
- Create and configure a new Firefox Profile
- Create a custom directory structure for user data
- ๐งช WSL + Exegol Deployment
- Guide user through enabling WSL + Docker integration
- Install pipx, Exegol, and argcomplete
- Generate and import PowerShell tab-completion for Exegol
- Add completion script to PowerShell profile
- ๐ Post-Restart Flow
- Executed if script is called with -AfterRestart:
- Re-install wsl_update_x64.msi
- Enable WSL2
- Install WSL distros: Debian, Ubuntu, Kali
- Re-run bloatware removal
- Setup Exegol after reboot
- Executed if script is called with -AfterRestart:
- ๐ธ Style and Experience
- Modular structure with timestamped output
- Stylized UX with ๐ฝ emojis, colored messages, sarcastic jokes
- Banner display via Show-Banner
- Full admin check at start
- Final system reboot
Compatibility with other versions (LTSC, Server editions, Insider builds...) is possible (probable), but not guaranteed.
- Go to GitHub repo.
- Click
<> CodeโDownload ZIP. - Extract the archive to your desired location.
- Temporarily allow script execution:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process๐ Important: This command temporarily adjusts the execution policy to allow script execution for the current process only, minimizing security risks. Always examine scripts before executing them to ensure safety.
- Run the script:
.\WinPostInstall.ps1Alternatively, for a streamlined approach, combine the execution policy adjustment with script launch in a single line:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process; .\WinPostInstall.ps1
โ ๏ธ Note: This script must be run as Administrator. It will request administrator privileges automatically at start.
We truly appreciate and welcome community involvement. Your contributions, feedback, and suggestions play a crucial role in improving the project for everyone. If you're interested in contributing or have ideas for enhancements, please feel free to open an issue or submit a pull request on our GitHub repository. Every contribution, no matter how big or small, is highly valued and greatly appreciated!
Explore the star history of this project and see how it has evolved over time:
Your support is greatly appreciated. We're grateful for every star! Your backing fuels our passion. โจ
This project is licensed under the GNU Affero General Public License, Version 3.0. For more details, please refer to the LICENSE file in the repository: Read the license on GitHub
