Skip to content

Instantly share code, notes, and snippets.

@ph33nx

ph33nx/cleanup_and_harden_windows.ps1

Last active June 6, 2025 09:16
Show Gist options
  • Save ph33nx/57e0d19fda3dc5101212d45901677205 to your computer and use it in GitHub Desktop.
Save ph33nx/57e0d19fda3dc5101212d45901677205 to your computer and use it in GitHub Desktop.
Download ZIP
[JUN 2025 UPDATE] Windows 10/11 Hardening & Cleanup Script – Disable Telemetry, Turn Off Search Indexing, Purge Temp & Update Caches for Privacy and Security (sysadmin, remove telemetry, clean temp files, disable diagnostics, Windows privacy)
Raw
cleanup_and_harden_windows.ps1
<#
.SYNOPSIS
Hardens Windows 10/11 by disabling telemetry, turning off indexing, disabling Start-menu search suggestions, and cleaning up temp files, update caches, event logs, and the Recycle Bin.
.DESCRIPTION
This script will:
• Stop & disable Connected User Experiences & Telemetry (DiagTrack)
• Disable WAP Push Agent (dmwappushsvc) and Diagnostic Policy Service (DPS)
• Set AllowTelemetry = 0 in the registry (minimal data collection)
• Disable the scheduled tasks “ProgramDataUpdater” and “Microsoft Compatibility Appraiser”
• Turn off Windows Search indexing (service = WSearch)
• Purge user Temp ($Env:TEMP) and system Temp ($Env:windir\Temp)
• Clear Windows Update cache ($Env:windir\SoftwareDistribution\Download)
• Clear Event Logs: Application, System, Security, Setup
• Empty the Recycle Bin
• Disable Feedback & Tips (ContentDeliveryManager)
• Disable Start-menu search suggestions (Edge) via registry
• Write a detailed log to $Env:USERPROFILE\logs\cleanup_and_harden_windows.log
.NOTES
Author: ph33nx
URL: https://github.com/ph33nx
Keywords:
disable telemetry Windows, harden Windows, sysadmin script, cleanup Windows,
privacy PowerShell script, remove telemetry, disable search indexing,
Windows 10 hardening, Windows 11 privacy, disable start-menu suggestions
Requirements:
• Windows 10 or Windows 11 (Tested on 21H2+)
• PowerShell 5.1 or later (built-in)
• Must be run as Administrator (self-elevates via UAC if needed)
.USAGE
1. Save this file as “cleanup_and_harden_windows.ps1” in a folder of your choice.
2. Right-click → “Run with PowerShell”. If not already elevated, you’ll get a UAC prompt,
OR Open Terminal in the same folder and run .\cleanup_and_harden_windows.ps1
3. Inspect the log at: $Env:USERPROFILE\logs\cleanup_and_harden_windows.log
(To schedule automatically, create a Task Scheduler task that runs this .ps1 “with highest privileges.”)
#>
#region --- 0) SELF-ELEVATION CHECK ---
function Assert-Elevated {
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
[Security.Principal.WindowsBuiltInRole]::Administrator
)
if (-not $isAdmin) {
Write-Host "`n[INFO ] Not running as Administrator. Attempting to relaunch under UAC..." -ForegroundColor Yellow
Start-Process -FilePath 'powershell.exe' `
-ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" `
-Verb RunAs
Exit
}
}
Assert-Elevated
#endregion
#region --- 1) SETUP LOGGING ---
$logDir = Join-Path $Env:USERPROFILE "logs"
$logFile = Join-Path $logDir "cleanup_and_harden_windows.log"
if (-not (Test-Path $logDir)) {
New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}
Start-Transcript -Path $logFile -Append -NoClobber
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "`n[$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')] Starting cleanup_and_harden_windows.ps1 (elevated)`n" -ForegroundColor Cyan
#endregion
#region --- 2) DISABLE TELEMETRY & DATA-COLLECTION SERVICES ---
Write-Host "[1/9] Disabling Telemetry & Data-Collection Services..." -ForegroundColor Green
# 2.1 Stop & disable Connected User Experiences & Telemetry (DiagTrack)
Try {
if (Get-Service -Name 'DiagTrack' -ErrorAction SilentlyContinue) {
Stop-Service -Name 'DiagTrack' -Force -ErrorAction SilentlyContinue
Set-Service -Name 'DiagTrack' -StartupType Disabled
Write-Output " - DiagTrack service stopped & disabled."
}
else {
Write-Output " - DiagTrack service not found (maybe already removed)."
}
}
Catch {
Write-Error " ❌ Failed to disable DiagTrack: $_"
}
# 2.2 Stop & disable WAP Push Agent (dmwappushsvc)
Try {
if (Get-Service -Name 'dmwappushsvc' -ErrorAction SilentlyContinue) {
Stop-Service -Name 'dmwappushsvc' -Force -ErrorAction SilentlyContinue
Set-Service -Name 'dmwappushsvc' -StartupType Disabled
Write-Output " - dmwappushsvc service stopped & disabled."
}
else {
Write-Output " - dmwappushsvc service not found."
}
}
Catch {
Write-Error " ❌ Failed to disable dmwappushsvc: $_"
}
# 2.3 Stop & disable Diagnostic Policy Service (DPS)
Try {
if (Get-Service -Name 'DPS' -ErrorAction SilentlyContinue) {
Stop-Service -Name 'DPS' -Force -ErrorAction SilentlyContinue
Set-Service -Name 'DPS' -StartupType Disabled
Write-Output " - DPS service stopped & disabled."
}
else {
Write-Output " - DPS service not found."
}
}
Catch {
Write-Error " ❌ Failed to disable DPS: $_"
}
# 2.4 Disable scheduled tasks related to telemetry/compatibility
$tasksToDisable = @(
"\Microsoft\Windows\Application Experience\ProgramDataUpdater",
"\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
)
foreach ($fullPath in $tasksToDisable) {
Try {
# Split the folder path vs. task name:
# e.g. "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
# Folder=\Microsoft\Windows\Application Experience\
# Name=ProgramDataUpdater
$parts = $fullPath.TrimStart("\").Split("\")
$taskName = $parts[-1]
$taskPath = "\" + ($parts[0..($parts.Length - 2)] -join "\") + "\"
Disable-ScheduledTask -TaskPath $taskPath -TaskName $taskName -ErrorAction SilentlyContinue
Write-Output " - Disabled scheduled task: $fullPath"
}
Catch {
Write-Error " ❌ Unable to disable scheduled task $fullPath : $_"
}
}
# 2.5 Set AllowTelemetry = 0 in registry (Enterprise/Pro only)
Try {
$dcKeyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection"
if (-not (Test-Path $dcKeyPath)) {
New-Item -Path $dcKeyPath -Force | Out-Null
}
Set-ItemProperty -Path $dcKeyPath -Name AllowTelemetry -Type DWord -Value 0 -Force
Write-Output " - Registry updated: HKLM:\...\DataCollection\AllowTelemetry = 0"
}
Catch {
Write-Error " ❌ Failed to set AllowTelemetry registry key: $_"
}
Write-Host "[1/9] Telemetry & Data-Collection Services disabled.`n" -ForegroundColor Green
#endregion
#region --- 3) DISABLE WINDOWS SEARCH INDEXING ---
Write-Host "[2/9] Disabling Windows Search (WSearch) indexing service..." -ForegroundColor Green
Try {
if (Get-Service -Name 'WSearch' -ErrorAction SilentlyContinue) {
Stop-Service -Name 'WSearch' -Force -ErrorAction SilentlyContinue
Set-Service -Name 'WSearch' -StartupType Disabled
Write-Output " - WSearch service stopped & disabled."
}
else {
Write-Output " - WSearch service not found."
}
}
Catch {
Write-Error " ❌ Failed to disable WSearch: $_"
}
Write-Host "[2/9] Windows Search indexing turned off.`n" -ForegroundColor Green
#endregion
#region --- 4) CLEAN USER & SYSTEM TEMPORARY FILES & CACHES ---
Write-Host "[3/9] Cleaning User & System Temporary Files..." -ForegroundColor Green
# 4.1 User Temp folder
$userTemp = $Env:TEMP
Try {
Get-ChildItem -Path $userTemp -Recurse -Force -ErrorAction SilentlyContinue |
Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
Write-Output " - Cleared User Temp folder: $userTemp"
}
Catch {
Write-Error " ❌ Failed to clear user Temp ($userTemp): $_"
}
# 4.2 System Temp folder
$systemTemp = Join-Path $Env:windir "Temp"
Try {
Get-ChildItem -Path $systemTemp -Recurse -Force -ErrorAction SilentlyContinue |
Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
Write-Output " - Cleared System Temp folder: $systemTemp"
}
Catch {
Write-Error " ❌ Failed to clear system Temp ($systemTemp): $_"
}
Write-Host "[3/9] Temporary files and caches purged.`n" -ForegroundColor Green
#endregion
#region --- 5) CLEAR WINDOWS UPDATE CACHE ---
Write-Host "[4/9] Clearing Windows Update Download Cache..." -ForegroundColor Green
Try {
$wuSvc = Get-Service -Name 'wuauserv' -ErrorAction SilentlyContinue
if ($wuSvc -and $wuSvc.Status -ne 'Stopped') {
Stop-Service -Name 'wuauserv' -Force -ErrorAction SilentlyContinue
Write-Output " - Stopped Windows Update service (wuauserv)."
}
}
Catch {
Write-Error " ❌ Error stopping wuauserv: $_"
}
Try {
$updateCache = Join-Path $Env:windir "SoftwareDistribution\Download"
if (Test-Path $updateCache) {
Remove-Item -Path $updateCache -Recurse -Force -ErrorAction SilentlyContinue
New-Item -Path $updateCache -ItemType Directory -Force | Out-Null
Write-Output " - Cleared Windows Update cache: $updateCache"
}
else {
Write-Output " - Windows Update cache folder not found."
}
}
Catch {
Write-Error " ❌ Failed to clear Windows Update cache: $_"
}
Try {
Start-Service -Name 'wuauserv' -ErrorAction SilentlyContinue
Write-Output " - Restarted Windows Update service (wuauserv)."
}
Catch {
Write-Error " ❌ Error restarting wuauserv: $_"
}
Write-Host "[4/9] Windows Update Download cache purged.`n" -ForegroundColor Green
#endregion
#region --- 6) CLEAR EVENT LOGS ---
Write-Host "[5/9] Clearing Windows Event Logs..." -ForegroundColor Green
$eventLogs = 'Application', 'System', 'Security', 'Setup'
foreach ($logName in $eventLogs) {
Try {
wevtutil cl $logName
Write-Output " - Cleared Event Log: $logName"
}
Catch {
Write-Error " ❌ Failed to clear Event Log ${logName}: $_"
}
}
Write-Host "[5/9] All specified Event Logs cleared.`n" -ForegroundColor Green
#endregion
#region --- 7) EMPTY RECYCLE BIN ---
Write-Host "[6/9] Emptying Recycle Bin..." -ForegroundColor Green
Try {
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
Write-Output " - Recycle Bin emptied."
}
Catch {
Write-Error " ❌ Failed to empty Recycle Bin: $_"
}
Write-Host "[6/9] Recycle Bin emptied.`n" -ForegroundColor Green
#endregion
#region --- 8) DISABLE FEEDBACK & TIPS ---
Write-Host "[7/9] Disabling Feedback & Tips..." -ForegroundColor Green
Try {
$cdmKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager"
if (-not (Test-Path $cdmKey)) {
New-Item -Path $cdmKey -Force | Out-Null
}
Set-ItemProperty -Path $cdmKey -Name SubscriptionContentSourceUri -Value "" -Force
Set-ItemProperty -Path $cdmKey -Name ContentDeliveryAllowed -Value 0 -Force
Write-Output " - Disabled Feedback & Tips (ContentDeliveryManager updated)."
}
Catch {
Write-Error " ❌ Failed to disable Feedback & Tips: $_"
}
Write-Host "[7/9] Feedback & Tips disabled.`n" -ForegroundColor Green
#endregion
#region --- 9) DISABLE START-MENU SEARCH SUGGESTIONS (Edge) ---
Write-Host "[8/9] Disabling Start-menu Search Suggestions (Edge)..." -ForegroundColor Green
Try {
$basePath = "HKCU:\Software\Policies\Microsoft\Windows"
$explorerKey = Join-Path $basePath "Explorer"
if (-not (Test-Path $explorerKey)) {
New-Item -Path $explorerKey -ItemType Directory -Force | Out-Null
Write-Output " - Created registry key: $explorerKey"
}
New-ItemProperty -Path $explorerKey `
-Name "DisableSearchBoxSuggestions" `
-PropertyType DWord `
-Value 1 -Force | Out-Null
Write-Output " - Set registry: HKCU:\Software\Policies\Microsoft\Windows\Explorer\DisableSearchBoxSuggestions = 1"
}
Catch {
Write-Error " ❌ Failed to disable Start-menu Search Suggestions: $_"
}
Write-Host "[8/9] Start-menu Search Suggestions disabled. (Will take effect after restart)`n" -ForegroundColor Green
#endregion
#region --- 10) CLEAN UP ANY EXTRA ARTEFACTS (OPTIONAL) ---
# (You can insert additional steps here if needed.)
Write-Host "[9/9] Optional extra cleanup complete." -ForegroundColor Green
Write-Output "[9/9] Optional extra cleanup complete.`n"
#endregion
#region --- FINISH & STOP TRANSCRIPT ---
Write-Host "========================================" -ForegroundColor Cyan
Write-Host "`n[$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')] Completed cleanup_and_harden_windows.ps1`n" -ForegroundColor Cyan
Stop-Transcript
# Wait for user to press Enter before closing
Write-Host "Press [Enter] to exit..." -ForegroundColor Yellow
Read-Host | Out-Null
#endregion
# End of Script
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment