| title | The IT Admin's Troubleshooting Toolkit |
|---|---|
| layout | default |
π‘οΈ Your Swiss Army Knife of IT Diagnostics & Fixes Youβll Actually Use
A comprehensive reference for system troubleshooting and repair tools, processes, and diagnostics.
- Boot into Safe Mode via
msconfigorShift + Restart. - Enable Windows Installer in Safe Mode to uninstall apps:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service" net start msiserver
- Run built-in and downloadable troubleshooters
- Reset Windows Update components
- Use
DISMandsfcfor image and file repair - Cleanup superseded components
- View startup programs in Task Manager, shell:startup, registry
- Use
autoruns.exefor deep analysis - Can be run via
\live.sysinternals.com\tools\autoruns.exe
netsh winsock reset
netsh int ip reset
ipconfig /flushdnsnetsh wlan show profile name="SSID" key=clearcurl ifconfig.mewsreset.exe
winget upgrade --all --accept-source-agreements --accept-package-agreementsDISM /Online /Cleanup-Image /StartComponentCleanup
DISM /Online /Cleanup-Image /StartComponentCleanup /ResetBasesfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth- Re-register apps and DLLs
- Rebuild search index
- Use Setup.exe for in-place repair
fsck,debsums,diskutil,csrutil status- SMART diagnostics with
smartctl
Get-CimInstance -Class Win32_ComputerSystemProduct | Select UUID
Get-NetAdapter | Select Name, MacAddress
[guid]::NewGuid()autoruns,tcpview,procexp,procmon- Run from
\live.sysinternals.com\tools\<tool>.exe
- SaRA: https://aka.ms/SaRA
msdt.exe /id <DiagnosticID>- Examples:
- ActivationDiagnostic
- WindowsUpdateDiagnostic
- PrinterDiagnostic
- Examples:
psr.exe /start /output "C:\Temp\steps.zip" /gui no
psr.exe /stop- Can't connect to HTTPS websites
- Windows Update fails
- Microsoft 365 apps sign-in errors
- Email/calendar sync issues
w32tm /query /status
w32tm /query /configurationw32tm /resyncw32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /update
net stop w32time
net start w32timeUse https://time.gov to compare visually.
Sometimes users accidentally enable these features by holding keys too long or pressing repeatedly.
| Feature | What It Does | Shortcut Key |
|---|---|---|
| Sticky Keys | Press modifier keys (Shift, Ctrl, Alt, Windows) one at a time instead of holding | Press Shift 5 times |
| Filter Keys | Ignores brief/repeated keystrokes | Hold Right Shift for 8 seconds |
| Toggle Keys | Plays sound when Caps Lock, Num Lock, or Scroll Lock is pressed | Hold Num Lock for 5 seconds |
| High Contrast | Switches to high-contrast color scheme | Left Alt + Left Shift + Print Screen |
| Magnifier | Opens screen magnifier | Windows + Plus (+) |
| Narrator | Starts screen reader | Ctrl + Windows + Enter |
| On-Screen Keyboard | Opens virtual keyboard | Windows + Ctrl + O |
| Color Filters | Enables color filters | Windows + Ctrl + C |
You can disable shortcut prompts in Settings β Accessibility β Keyboard.
-
Temporarily allow in session:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
-
Allow for current user:
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
-
Check current policy:
Get-ExecutionPolicy -List
-
"Cannot be loaded because running scripts is disabled" β Fix with execution policy above.
-
Module not found:
Install-Module -Name ModuleName -Scope CurrentUser Import-Module ModuleName
-
Untrusted Repository Warning:
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
-
List running processes:
Get-Process -
Get system info:
Get-ComputerInfo -
List services:
Get-Service | Where-Object { $_.Status -eq 'Running' }
-
Restart a service:
Restart-Service -Name 'wuauserv'
-
Export command output to file:
Get-Process | Out-File -FilePath C:\Temp\processlist.txt
-
Test network connectivity:
Test-NetConnection www.google.com
-
Keyboard Shortcuts to Navigate:
Alt + Tab: Switch between open windowsAlt + F4: Close current windowWindows + X: Open power user menuCtrl + EscorWindows key: Open Start MenuTabandArrow keys: Navigate within UIEnter: Select an itemShift + F10: Right-click equivalent
-
Enable Mouse Keys (Control Cursor with Numpad):
- Press
Alt + Left Shift + Num Lock - Confirm prompt to turn on Mouse Keys
- Use the numeric keypad to move the pointer
- Press
-
On-Screen Keyboard:
- Launch with
Windows + Ctrl + O - Navigate using arrow keys and Enter to type
- Launch with
-
On-Screen Keyboard (OSK):
- If a mouse works, navigate to:
- Start β Settings β Accessibility β Keyboard β Turn on On-Screen Keyboard
- Or run:
osk.exe
- If a mouse works, navigate to:
-
Touchscreen Devices:
- Use on-screen touch keyboard if available
-
Speech Recognition:
- Start Speech Recognition:
control /name Microsoft.SpeechRecognition
- Or use
Windows + Hto enable dictation
- Start Speech Recognition:
-
Remote Access Tools:
- Connect from another device using Remote Desktop, TeamViewer, or similar
- BIOS/UEFI Settings: Some systems require enabling legacy USB support for keyboards/mice.
- Try Different USB Ports: Prefer back panel ports for keyboards (direct chipset connection).
- Test with Bootable USB: Verify hardware works outside of Windows (e.g., Linux live CD).
- "Cannot establish a secure connection"
- "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" (in browsers)
- Remote Desktop, SMTP, or VPN TLS errors
- Event Viewer logs Schannel errors (Event ID 36887)
- Client/server use incompatible TLS versions
- Older OS lacks modern protocols (TLS 1.2, TLS 1.3)
- Disabled protocols via registry or group policy
- Outdated applications with hardcoded old TLS versions
-
Use PowerShell:
Test-NetConnection example.com -Port 443
-
Use OpenSSL (Linux/macOS/Windows with OpenSSL):
openssl s_client -connect example.com:443 -tls1_2
-
Enable TLS 1.2/1.3 via registry (Windows):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
-
Check Group Policies:
- Computer Configuration β Administrative Templates β Network β SSL Configuration Settings
-
Update apps and libraries (e.g., curl, OpenSSL, browsers)
- Browser shows "Your connection is not private" (NET::ERR_CERT_AUTHORITY_INVALID)
- Expired certificates cause connection failures
- Third-party root certificates silently injected (security risk)
-
Windows:
certmgr.msc(Current User Certificates)mmc.exeβ Add/Remove Snap-in β Certificates (Local Computer)
-
PowerShell:
Get-ChildItem -Path Cert:\LocalMachine\Root
-
macOS:
- Applications β Utilities β Keychain Access
-
Linux:
- System store:
/etc/ssl/certs/ - CA bundle files:
/etc/ca-certificates.conf - Commands:
update-ca-certificates openssl x509 -in cert.pem -text -noout
- System store:
-
Compare to baseline lists:
- Microsoft: https://aka.ms/trustedrootprogram
- Mozilla CA List: https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
-
Use PowerShell or OpenSSL to export and review installed root certs.
-
Windows:
- Use Windows Update to refresh root certificates.
- Manually delete suspicious certs in
certmgr.msc. - Re-import from trusted sources if needed.
-
macOS:
- Delete unwanted certs in Keychain.
- System updates refresh system CA store.
-
Linux:
- Update CA certificates:
sudo update-ca-certificates
- Update CA certificates:
- Firefox: Uses its own certificate store (independent of OS)
- Preferences β Privacy & Security β View Certificates
- Chrome, Edge, Safari: Use OS-level certificate stores
-
Install the module:
Install-Module PSWindowsUpdate -Force -Scope CurrentUser Import-Module PSWindowsUpdate
-
Download and install all critical and security updates:
Get-WindowsUpdate -Install -AcceptAll -AutoReboot
- Accepts all applicable updates and reboots if required.
Run the following commands in sequence:
UsoClient StartScan
UsoClient StartDownload
UsoClient StartInstall
UsoClient RestartDeviceNote: Provides limited feedback but works for simple update triggers.
- Windows Update for Business policies
- Microsoft Endpoint Configuration Manager (MEMCM/SCCM)
- Intune Update Rings
- WSUS (Windows Server Update Services)
After applying all updates, run:
DISM /Online /Cleanup-Image /StartComponentCleanup /ResetBase- Reduces disk space by cleaning up superseded updates.
- Prevents rolling back removed update versions.
For feature updates and major cumulative rollups:
- https://www.microsoft.com/software-download/windows10
- https://www.microsoft.com/software-download/windows11
Sometimes legacy devices or applications require older protocols or features that are disabled by default in modern Windows versions.
Warning: SMBv1 is deprecated and insecure. Only enable if absolutely necessary.
-
Enable via Windows Features (GUI):
- Control Panel β Programs and Features β Turn Windows features on or off
- Check "SMB 1.0/CIFS File Sharing Support"
-
Enable via PowerShell:
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
-
Disable after migration:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
- IE is deprecated, but Edge has "IE Mode" for legacy apps.
- Enable via Group Policy:
- Computer Configuration β Administrative Templates β Microsoft Edge β Configure Internet Explorer integration β Enable
Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient- Useful for simple TCP port tests with legacy devices.
Enable-WindowsOptionalFeature -Online -FeatureName DirectPlay -NoRestartAdd-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"- Required by many legacy network printers and monitoring tools.
Re-enable registry entries to use classic Windows Photo Viewer in Windows 10/11.
- Guides available online; involves file association changes.
-
XPS Viewer:
Add-WindowsCapability -Online -Name "XPS.Viewer~~~~0.0.1.0"
-
Windows Media Player (optional in some editions):
Enable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer
Always disable deprecated features after use, or isolate devices needing them for security.