Uncategorized

Windows Defender May Delete PowerShell Scripts…and More!

Leave a comment

Here’s a fun way to start a Monday: you fire up a PowerShell script you’ve run many times — maybe it provisions a batch of AD accounts, maybe it sweeps stale GPOs — and it simply vanishes. No error dialog. No event log entry. Quarantine warnings not provided, either. The file is just gone, like it offended someone. Which, as it turns out, it did.

The culprit? Recent changes to Microsoft Defender’s Attack Surface Reduction (ASR) rules — specifically, tightened enforcement arrived with Windows 11 23H2. And it has only grown more aggressive in 24H2/25H2. If you manage Windows endpoints for a living, this one deserves some notice.

How and Why Windows Defender May Delete PowerShell Scripts

Microsoft has been steadily ratcheting up ASR rules over the past couple of years. Two rules in particular have become dramatically more assertive: “Block execution of potentially obfuscated scripts” and the newer “Block execution from known script interpreter paths” (rule GUID 9e6c4e5a-1037-4377-92f4-2db0f7e629e7). The latter now matches elevated execution paths that have nothing to do with user shell startup, which means your perfectly legitimate admin scripts can get caught in this net.

Here’s the insidious part. Starting with the 23H2 and 24H2 Defender sensor updates, script-blocking ASR rules are now enforced at the kernel driver layer (via WdFilter.sys, Defender’s minifilter drive) — before process creation even occurs. That means scripts launched via WMI, COM+, or scheduled tasks can be silently killed or quarantined without generating an event log entry. You get no breadcrumbs. The script just doesn’t run, and the script file itself may disappear.

This has caused a wave of false positives hitting legitimate PowerShell scripts, SCOM monitoring agents, Active Directory management tools, and enterprise deployment scripts. If you experienced déjà vu reading that, you’re not wrong. In January 2023, a faulty Defender signature update (builds 1.381.2134.0 through 1.381.2163.0) caused the “Block Win32 API calls from Office macro” ASR rule to go haywire and mass-delete Start menu and taskbar shortcuts across enterprises. Microsoft had to ship a dedicated recovery script (AddShortcuts.ps1) and a taskbar repair utility to clean up the mess. Consider this the sequel — quieter but just as disruptive.

How to Recover Deleted or Quarantined Files

If Defender has eaten your scripts, don’t panic. Work through these steps in order:

  1. Check Defender’s quarantine via the GUI. Open Windows Security → Virus & threat protection → Protection history. Filter by “Quarantined Items.” If your script is there, select it and choose Restore.
  2. Browse the quarantine folder directly. Quarantined files live in C:\ProgramData\Microsoft\Windows Defender\Quarantine. They’re encrypted, but they show that Defender took them.
  3. Use PowerShell for deeper inspection. Run Get-MpThreatDetection and Get-MpThreat to list recent detections and see exactly which ASR rule fired. To restore from the command line, use MpCmdRun.exe -Restore -ListAll followed by MpCmdRun.exe -Restore -Name <ThreatName>.
  4. Add targeted exclusions. Use Add-MpPreference -ExclusionPath “C:\Scripts” or configure per-rule exclusions via Intune or Group Policy to prevent recurrence.
  5. Restore from backup. If the file is gone from quarantine entirely, fall back to File History, system restore points, or your backup solution of choice.
  6. For enterprise environments: check the Microsoft 365 Defender portal’s quarantine and Action Center — detections from managed endpoints often surface there even when local logs stay silent.

That leads to what I’ll call a “Pro tip” for admins to consider. Before enabling any new or aggressive ASR rule, set it to Audit mode first (value 2) rather than Block mode (value 1). Audit mode logs what would be blocked without actually deleting anything. Run it for a week or two, review the results in Event Viewer under Microsoft → Windows → Windows Defender → Operational (Event IDs 1121 and 1122), and then flip to Block. This single practice would have prevented most of the heartburn described above.

You Win Some, You Lose Some…

Let me be clear: Defender’s tighter ASR rules are genuinely good for security. Blocking script execution at the kernel level before a process even spawns is a meaningful defense against fileless malware and living-off-the-land attacks. But Microsoft badly needs to improve logging transparency when scripts get blocked at the kernel driver layer. Silent enforcement with no audit trail isn’t “defense in depth” — it’s “debugging in the dark.”

Until that gets fixed, the playbook is straightforward: keep good backups, audit before you block,  and test ASR changes in a staging ring before pushing to production. Remember: your antimalware solution is only as smart as its latest signature update. As the January 2023 shortcut debacle proved, even Microsoft’s own rules can bite the hand that feeds them. I think these just bit me. Don’t let it happen to you!

But Wait! There’s More…

In my usual ElevenForum readover this weekend, I stumbled on a thread that mentioned scripts — and an encrypted password file — disappearing from the poster’s Windows 11 PC. As I responded to that thread “This is deeply disturbing.” It just doesn’t seem right that Defender can cause scripts (and more) to vanish via rule enforcement. You need to steer around this pothole until it gets filled. Not an unfamiliar strategy, alas, here in Windows-World.

Facebooklinkedin
Facebooklinkedin
AI, Cool Tools, Insider stuff, Recent Activity, WED Blog, Windows 11

Testing Catches Copilot Errors

Leave a comment

I’m happy to admit that Copilot makes many of my Windows adventures easier to undertake. It certainly helps a great deal with PowerShell scripting stuff. But just this morning I was reminded that it’s always smart to question — and verify — everything Copilot tells me. In testing a USB4 NVMe enclosure just now, I asked it which of the ThinkPad X12 Detachable Gen 1 left-side USB-C ports is faster, remembering that one is 10Gbps (UASP) and the other 40Gbps (TB4). It replies “the lower port,” so I run CrystalDiskMark on both to check its answer. Once again, I confirm that testing catches Copilot errors. Let me explain.

How Testing Catches Copilot Errors

Simply put, checking what Copilot tells you will either confirm that it’s correct, or show that it’s wrong. As you can see in the lead-in graphic, which places the upper USB-C port left, and the lower one at right, large reads are MUCH faster on the left. That means the upper port MUST be the TB4 one because UASP/10Gbps can’t deliver more than 1,000 – 1,200 MB/s for either reading or writing.

When I showed Copilot the CDM results, it responded as follows:

I had it backwards — apologies for the bad call. The source I pulled from apparently described the ports in board-schematic order rather than physical top-to-bottom position as you see them on the tablet. Your bench test is the definitive answer.

And if you’re seeing typical UASP numbers (~1,000 MB/s sequential) from the lower port right now, that confirms it’s the USB 3.2 Gen 2 controller — exactly what you’d expect at 10 Gbps with protocol overhead.

At least, it doesn’t fight with me when I knock it over the head with contrary results. And when it writes scripts, the PowerShell mostly either works or it doesn’t. In the latter case, Copilot may fumble around for a while but it eventually gets things right.

Trust, But Verify

It’s not unreasonable to believe much, or perhaps even most, of what Copilot tells you. But if you don’t check its work, you’re setting yourself up for trouble. It’s good at finding stuff and presenting theories and explanations. It’s by no means infallible, as I have just shown. Take that into account, when you start leaning on it for help…

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Secure Boot, USB devices, WED Blog, Windows 11

Making Boot/Recovery Media CA-2023 Compliant

Leave a comment

OK, I confess. I’m more than a little OCD in keeping my Windows PCs updated. That applies to Secure Boot as much as anything else. And recently, in bringing my mini-fleet here at Chez Tittel up to snuff, I’ve found myself with old boot UFDs and current PCs. Yesterday, I blogged about that in a post about  “Checking Boot/Recovery Media…” Today, in reading the ElevenForum threads I learned that Garlin’s check script now includes boot media status. I also learned how to make my dozen or so bootable UFDs current.

Bootloader Is Key: Making Boot/Recovery Media CA-2023 Compliant

As you can see in the lead-in graphic the file named bootx64.efi is key to compliance. If the file is signed with CA-2023, it’s good; if it’s signed with CA-2011; it’s banned. Fortunately replacing a banned file with the good version is pretty straightforward. But because Windows doesn’t keep the C:\Windows\Boot\efi folder synched to what’s actually in the EFI partition, boot files are best garnered from the latter, not the former.

The steps in the process to provide a CA-2023 signed bootx64.efi therefore go best as follows:
1. Mount the EFI partition as an accessible drive: mountvol /S S:
2. Rename the existing UFD file to .old:
rename g:\efi\boot\bootx64.efi bootx64.old
3. Copy the CA-2023 bootloader into place:
copy S:\efi\boot\bootx64.efi to G:\efi\boot\bootx64.efi
4. Unmount the EFI partition for cleanup:

Note: On Macrium Reflect rescue disks you want to copy the CA-2023 version of bootx64.efi onto bootmgfw.efi instead.

Check Your Work: Run Garlin Script

You can use the latest version (be sure to download before use) of the Garlin Check_UEFI-CA2023.ps1 script to check your work. The correct syntax for this invocation reads (be sure to Unblock in advance):

.\check_UEFI-CA2023.ps1 -bootmedia -verbose

If all goes well the output should (nearly) match what you see in the lead-in graphic. If status shows BANNED, not ALLOWED, then the bootloader is signed with CA-2011, not CA-2023.

It’s pretty easy to fix, though. Hopefully you can do what I just did and bring all of your boot media into compliance. Cheers!

Facebooklinkedin
Facebooklinkedin
Backup/Restore, Cool Tools, Insider stuff, Recent Activity, Secure Boot, WED Blog, Windows 11

Checking Boot/Recovery Media CA-2023 Status

Leave a comment

Here’s an interesting consequence of the switchover in the Secure Boot chain of trust from CA-2011 to CA-2023. Once that occurs, you can’t boot from install, repair and recovery media that doesn’t support CA-2023. The PC firmware will reject it as “non-compliant.” What that means is with the revocation of CA-2011 upcoming in June, it’s time to start checking boot/recovery media CA-2023 status. When you can, it’s also time to replace older non-compliant media with newer, compliant versions.

I had Copilot write me a PowerShell Script that did 3 key things:
1. It checked to make sure drive G: (default letter for my UFDs) was present and accounted for
2. It showed me the top-level directory so I could see what I was dealing with (handy to distinguish installers, repair tools, etc.)
3. If it found EFI files, it reported Yes/No on their CA-2023 compliance.

After Checking Boot/Recovery Media CA-2023 Status, Then…?

The TL;DR answer to this question is: replace it if needed, keep it otherwise. I also used this opportunity to label my UFDs so I would know what I had in the future. I found all kinds of interesting stuff, including:

  • An MSI flash drive for my “new” MAG Tomahawk B550 mobo, a UEFI updater for v 2.90 on the ASRock B550 Extreme4+
  • Multiple Macrium Reflect and Hasleo Backup Suite rescue UFDs
  • A copy of the Windows DaRT (Diagostics and Recovery Toolset)
  • Multiple Windows Installer UFDs, mostly via MCT, some from UUPDump

Here’s the interesting thing: NONE of these items is CA-2023 compliant. Copilot says, in fact, that MS has not yet released an installer or repair ISO that includes the CA-2023 boot files in the EFI partition (see lead-in graphic bottom portion). I’d planned to update my dozen or so bootable UFDs today if I could. Looks like I’ll be waiting a while…

Key Takeaway

If you revoke CA-2011 support on any or all of your Windows PCs, you put yourself in the position of having to go into UEFI and turn off Secure Boot sometimes. When might that be? Whenever you want or need to use media to boot that PC for repair, recovery or installation. Good to know! That’s not the kind of thing I’d like sprung on me as a total surprise. Bet you feel the same way, too…

Facebooklinkedin
Facebooklinkedin
Cool Tools, Device drivers, Insider stuff, Recent Activity, WED Blog, Windows 11

Flo6 Gets Unghosted, Loses 183 Drivers

1 Comment

When I switched my production PC, Flo6, from the ASRock to the MSI motherboard on March 21, I left a large crew of ghosts behind. In this case, a ghost is a no-longer-used driver that remains in the driver store even though it’s out of service and irrelevant to the new installation. Thankfully, Copilot helped me remember and find Uwe Sieber’s outstanding Device Cleanup Tool. It specializes in identifying and removing such ghosts. After using the tool, Flo6 gets unghosted, loses 183 drivers (!), and gets considerably slimmed down.

How Flo6 Gets Unghosted, Loses 183 Drivers

At first I tried a tool named GhostBuster. It showed me I had 399 drivers installed on Flo6, of which up to 193 could be removed. But I couldn’t actually make it remove anything. So I asked Copilot for a different option, among which I recognized Uwe Sieber’s aforementioned tool. It worked, too!

Sieber’s Device Cleanup Tool shows ONLY drivers that may be removed. So I removed all of them. Of the 194 in that collection, 11 came back after a reboot (you can see them in the lead-in screencap). That’s how I got to the 183 number for the count of drivers removed from Flo6 overall. I used PowerShell to calculate before and after sizes for the DriverStore. It started out at 10.63 GB, and dropped to 7.87 GB after cleanup. I like that!

One of the consequences of moving from one mobo to another without a clean install is that this kind of cleanup is needed. One of the advantages of that swap is that I didn’t have to clean install the OS. What can I say? I was in a hurry! Here in Windows-World, these are the trade-offs and the consequences we must learn to accept.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Networking, Recent Activity, Remote Desktop (RDP), Troubleshooting, WED Blog, Windows 11

Power Outages Mung LAN Addressing

Leave a comment

With clear skies yesterday, our house nevertheless took two power hits yesterday. The first lasted 15 minutes, the second 11 (had to reset certain appliance clocks both times). When I tried to remote into the ThinkStation P3 Ultra this morning, RDP wouldn’t connect. So I tried pinging the host name (Tsp3Ultra2) and got “destination host unreachable.” Pretty conclusive proof that power outages mung LAN addressing, since that very string worked fine yesterday.

If Power Outages Mung LAN Addressing, Then?

For the time being I’ve got Advanced IP Scanner open, and am using the “Tools” option for each network node to call Remote Desktop Connection. That tells me which PC I’m trying to get at, and uses its IP address to make things work. Good enough for now, I guess.

I’ve observed that the name table will gradually correct itself over a 24-hour period. Since our last outage happened just before 5 PM yesterday, that means I can return to using machine names for remote access later this evening. In the meantime, I have a decent workaround.

A quick check tells me that only some PCs were affected by the outage. Not surprisingly, the laptops (kept alive by batteries durng the outage) retain their machine name-to-address relationships. The desktops and mini-PCs (except Flo6, which is on a UPS) have all been renumbered.

Here in Windows-World, it’s always something. Yesterday, it was a quick pair of power glitches. Who knows what’ll hit me today?

Note Added Next Day

As I had suspected (or hoped), the machine names are now all working again. As is typical here at Chez Tittel, a 24-hour period is long enough for DHCP to work itself into usable shape. Now I know that a power glitch (or two) can upset that delicate balance. I’ll probably be reminded again sometime soon, now that thunderstorm season here in Central Texas is getting started. This time, I think the glitch came from construction work at the edge of our neighborhood where power goes from overhead to underground lines.

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Secure Boot, Updates, WED Blog, Windows 11

Pondering UEFI Updates

Leave a comment

I’m still getting settled in with my new production desktop environment. ICYDK, it’s built around an MSI MAG Tomahawk B550 mobo, with Ryzen 5800X, NVIDIA 3070Ti GPU, and 64GB DDR4 RAM. This morning, I started digging into the MSI Center app that orchestrates other system utilities, and handles updates for drivers and firmware. In my investigation, I discovered a “new” update for the mobo firmware. In turn, that has me pondering UEFI updates.

Where Does Pondering UEFI Updates Take Me?

I had to figure out that MSI’s once-standalone “Live Update” utility now sits beneath its top-level Support tab (top middle of option bar in the lead-in graphic). Then I had to figure out that UEFI updates appear only when one clicks the “Advanced” button, rather than the more pedestrian “Scan” button (which scans only for driver updates).

As  you can see in that graphic, the company shares its guidance in eye-catching red text at the head of the MB BIOS list. That guidance reads: “MSI does not recommend to update BIOS when system has no issue” in somewhat fractured English. However rough the wording might be, the guidance is still pretty good. Let me explain…

If It Ain’t Broke, Don’t Fix It!

The reason why I recently rebuilt my Flo6 desktop stemmed from UEFI problems with the previous ASRock B550 Extreme4 mobo. It kept sticking halfway between Secure Boot old/updated data sets. That resulted in extreme boot requirements, when I might sometimes have to reset CMOS just to get the PC to boot.

Most of the time I had to shut it down, and cut power, then wait a while to bring it back to life. That went on for weeks before I made the switch to the MSI board. Since then, boot and update operations have been blissfully boring. Things just work, and I can use all of the various boot options and related keyboard options to do exactly what I want.

Reading over Copilot’s summary of what UEFI v2.A0 brings me, as compared to the running v2.90, I don’t see anything I need. Nor do I see anything that would improve Flo6’s currently rock-solid and dependable, fully caught-up Secure Boot Status.

Hence my decision: I’m not going to update. Nothing is causing problems. Everything is working dependably and reliably. Secure Boot is golden. This time, I’ll pass… Maybe next time?

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, PowerShell, Recent Activity, WED Blog, Windows 11

WinGet Iconification Is Ongoing

Leave a comment

Yesterday, I had the good fortune to spend an hour on the phone with WinGet team lead Demitrius Nelon. He gave me a “slice of life” view into the many and varied kinds of chicken-and-egg problems his team deals with daily. He also helped me improve my understanding of where and how icons come from inside a sixel-enabled terminal session, including those that WinGet shows. And indeed, WinGet iconification is ongoing and spreading, as I saw this morning when I ran a general upgrade command on the recently clean-installed (and properly enabled) ThinkPad X12 Gen 1 tablet.

Why Say: WinGet Iconification Is Ongoing

Take a look at the output for a winget upgrade –all …  command from the lead-in graphic. Note the first actual upgrade (for OneDrive) shows an icon in that output stream. This is the first visible evidence I’ve seen running WinGet that the tool is including icons outside of the list –details commands. Very interesting!

Doc Info on list –details

Here’s a big snippet from the release notes for WinGet production version v.1.28.190:

New Feature: ‘list –details’

The new feature enables a new option for the list command, --details. When supplied, the output is no longer a table view of the results but is instead a series of show like outputs drawing data from the installed item.

An example output for a single installed package is:

> wingetdev list Microsoft.VisualStudio.2022.Enterprise --details
Visual Studio Enterprise 2022 [Microsoft.VisualStudio.2022.Enterprise]
Version: 17.14.21 (November 2025)
Publisher: Microsoft Corporation
Local Identifier: ARP\Machine\X86\875fed29
Product Code: 875fed29
Installer Category: exe
Installed Scope: Machine
Installed Location: C:\Program Files\Microsoft Visual Studio\2022\Enterprise
Available Upgrades:
  winget [17.14.23]

If sixels are enabled and supported by the terminal, an icon for the installed package will be shown.

I’m glad to see and understand that the stuff I had to figure out more or less on my own through trial and error is now going explicitly into the public record. For the details on how to enable sixel output in your WinTerm sessions, see last Friday’s how-to blog post Light Up WinGet Icons.

Where to from Here?

I expect to see icons popping up all over WinGet in the coming months. I also expect to see more icons popping up in output streams, as the plumbing falls into place. Right now, only about 20% of WinGet’s packages show icons. But that number’s going to jump for sure. Stay tuned, and I’ll tell you all about it.

 

Facebooklinkedin
Facebooklinkedin
Backup/Restore, Device drivers, Insider stuff, Recent Activity, WED Blog, Windows 11

Two Checkboxes Means 12X Faster

2 Comments

I plugged a Samsung 990 Pro 1TB NVMe into the Thunderbolt 5 port on my Lenovo ThinkPad P16 Gen 3 mobile workstation. ICYDK, TB5 promises up to 80 Gbps bandwidth. The 990 Pro is one of the fastest consumer NVMe drives money can buy. I expected fireworks. I got a firefly. Fortunately, I determined that clicking two checkboxes means 12 faster results. This comes from foregoing quick disconnect and enabling write caching. Let me explain…

Exploring: Two Checkboxes Means 12X Faster

As shown in the lead-in graphic, CrystalDiskMakr tells the ugly truth. As you can see on the left hand side, read speeds looked good. But writes are stuck in what I’d charitably call “USB 2.0 territory.” Something was very, very wrong — and it wasn’t the hardware. Results come from CrystalDiskMark 9.0.2 x64 software.

Now, look to the right, you can see that write speeds jumped significantly, while read speeds stay more or less the same. Indeed, the Thunderbolt 5 (TB5) link and Acasis TB501Pro enclosure weren’t the whole bottleneck. Sequential writes jumped from 473 to 5,943 MB/sec for a 12.6X speed boost.. Even more amazing: 4K Q1T1 writes leapt from 1.04 to 110 MB/sec, for a 105X gain.

All this came from two little checkboxes, on the Policies tab from the Properties window for the Acasis TB501Pro enclosure. Deets follow…

Two Related Settings in DevMgr Do the Trick

Here’s the 30-second procedure:

  1. Open Device Manager → expand Disk drives → right-click your external NVMe → select Properties → click the Policies tab.
  2. Switch from “Quick removal” (the default) to “Better performance.” This unlocks the write caching option that’s otherwise grayed out.
  3. Check the box for “Enable write caching on the device.” This is the setting that actually turns on write caching.
  4. Click OK, then rerun your benchmarks and enjoy the results.

Both settings are required. Selecting “Better performance” alone without the write caching checkbox won’t deliver these numbers. You need both.

Here’s the Tradeoff

Windows defaults to Quick Removal for a good reason: it protects against data loss if you yank a drive without ejecting it first. With Better Performance and write caching enabled, you must use “Safely Remove Hardware” before unplugging, or you risk losing data still sitting in the write cache.

That’s the tradeoff. For a stationary workstation drive that stays plugged in during work sessions, it’s a no-brainer. For a drive you hot-swap constantly throughout the day, think twice. I’m going for maximum speed on backups and restores, so I’ll make myself remember this tradeoff if I need to unlplug the NVMe enclosure.

The Results Could Still Be Better

I’m still of the opinion that — as I opined in my Feb 20 blog on this topic — that buying a TB5 NVMe enclosure isn’t worth the added expense. TB4 enclosures cost about US$100 less, and deliver nearly the same performance as TB5 (it’s a 10-15% difference at best). Doubling the price for a modest gain just doesn’t make sense. TB5 shines for video and networking. For storage links, not so much, because controllers basically limit links to PCIe x3/x4 levels.

That’ still true today. But I was pleased to get much more out of my rig once I made the enclosure behave more like a USB drive and less like a USB stick! Here in Windows-World you sometimes have to take your wins where you can find them…

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, PowerShell, Recent Activity, WED Blog, Windows 11

How-To: Light Up Winget Icons

Leave a comment

Thanks to numerous requests, I’m providing step-by-step instrux in this unusual second blog post for today. It’s based on something that made me unreasonably happy earlier this week. That is:  WinGet can now display colorful package icons right inside Windows Terminal, rendered via sixel graphics. It’s a small visual upgrade that makes winget list –details output dramatically more readable. You get actual application icons inline with package data instead of a wall of monochrome text. But getting there requires a few specific steps. Here’s the complete recipe so you, too, can light up WinGet icons.

Why Must You Light Up WinGet Icons?

The current production version of WinGet is v1.28.220 as I write this post. The latest Preview version is v1.29.70-preview. Production is still catching up, so preview is a must for the moment. I imagine, though, that this will change with the next production version update. As with all moving targets, this one keeps changing along with everything else!

Step 1 — Get a Preview Version of Winget

Sixel icon support requires WinGet version 1.29.50-preview or later. The current stable release doesn’t include it. Check your version with winget -v. If you’re behind, try this first:

winget upgrade Microsoft.AppInstaller –source winget

If that doesn’t pick up the preview build, head to the microsoft/winget-cli releases page on GitHub, download the latest .msixbundle. If a double-click won’t install it, you can install it manually with Add-AppxPackage. Fair warning: on some machines the Microsoft Store installer handles dependencies automatically. On others, you’ll need to sideload VCLibs and Microsoft.UI.Xaml packages yourself.

Step 2 — Enable Sixels in Winget’s Settings (Not Terminal’s!)

This is the gotcha, and it got me for a short while. I confess: I mixed it up myself. The sixel toggle goes in WinGet‘s own settings file, NOT in Windows Terminal’s settings.json. Run winget settings to open the file. Add or merge a visual block so it looks like this:

{
“$schema”: “https://aka.ms/winget-settings.schema.json”,
“visual”: {
“enableSixels”: true,
“progressBar”: “rainbow”
}
}

The enableSixels: true setting tells WinGet to emit sixel graphics in its output. The progressBar key is optional —”rainbow“, “accent”, and “retro” work well (“sixel” works, but is hard to see). Any of these gives you graphical progress bars during installs, as a nice bonus.

Step 3 — Restart Terminal and Run It

Kill Terminal completely — not just close a tab. Right-click the taskbar icon and close the window, or kill the wt process outright. Relaunch. Then run:

winget list –details

Icons should appear for Win32 packages (exe/msi installers). MSIX packages won’t show icons — that’s a known limitation of the current pipeline, not a configuration error on your part. You can filter to a single package to test things quickly (I chose 7Zip, as it’s at the top of my ASCII sort order):

winget list –details 7zip

What to Expect

Not every package gets an icon. In my testing across two ThinkPads, icon coverage ranged from 26% to 31% of total installed packages. The dividing line is 100% correlated with installer category: Win32 packages (exe/msi) get icons, MSIX packages don’t. That’s an architectural gap Microsoft hasn’t bridged yet.

But what works, works beautifully. The icons are crisp, properly sized, and render instantly. It turns a dull text dump into something you can actually scan visually — which matters when you’re staring at 150+ installed packages trying to figure out what needs updating. Once you’ve got it set up, you won’t want to go back to the plain-text version. Cheers!

Facebooklinkedin
Facebooklinkedin

Author, Editor, Expert Witness