ZNHOO Whatever you are, be a good one!


  1. Prevent Win10 1803 auto-restart
  2. Security
  3. Drivers
  4. Windows Embedded Standard 7
    1. Add more features
  5. Activation
    1. MAK
    2. Key Management Server (KMS)
      1. KMS emulator
      2. GVLK
      3. Configure a client
      4. Activate a product
      5. References

Prevent Win10 1803 auto-restart

  1. Run gpedit.msc as administrator;
  2. Computer Configuration - Administration Template - Windows Update
  3. Configure Automatic Updates - Enabled

    Choose '4 - Auto download and schedule the install'

  4. No auto-restart with logged on users for shceduled automatic updates installations - Enabled


  1. WannaCry / Wcry / WannaCrypt

    Turn off SMB v1 and optionally v2 and/or v3. Then check by:

    netstat -na | find "LISTENING" | find ":445 "

    Especially, Windows XP SP3 requires patch Windows XP SP3 安全更新程序 (KB4012598).

  2. Anything related to Intel Management Engine (IME) or Automatic Management Technology (AMT) should be avoid.
  3. Turn off Windows Defender (scan disk) with gpedit.msc.


  1. Unlike Widnows 8 onwards, Windows 7 ISO lack drivers (i.e. Ethernet, Wireless etc.). Upon installation, it probably cannot connect the Internet.

Windows Embedded Standard 7

Installation tips:

  • Use a Template - Thin Client.
  • Modify Drivers & Modify Features.
  • Automatically detect devices.
  • Untick 'Resolve optional dependencies' otherwise final OS Footprint would be 3.4G around. Leave 'Resolve Dependencies' to the last step of package selection, which otherwise would pulls uncessary leftover.
  • .Net Framework, tick everything. Miscellaneous applications depend on .NET framework.
  • Application Support, untick 'MSMQ'.
  • Boot Environments, 'Enhanced write filter boot Environment' to 'Windows Boot Environment'.
  • Browsers, keep IE 8.
  • Data Access and Storage, untick 'Windows Data Access Components - SQL'.
  • Data Integrity, leave everything unticked.
  • Devices and Printers, untick 'Printing Utilities and Management'.
  • Diagnostics, leave 'Common Diagnostics Tools' and optionally 'User' ticked (Windows Task Manager).
  • Embedded Enabling Features, untick everything and optionally tick 'Registry Filter' (for regedit).
  • Fonts, tick 'Simplified Chinese Fonts'.
  • Graphics and Multimedia, untick 'Windows Media Player 12'.
  • International, leave everything unticked.
  • Internet Information Service - IIS, leave everything unticked.
  • Management, leave it alone but optionally untick 'Windows Update User Interface'.
  • MediaCenter, leave everything unticked.
  • Networking, untick everything and tick 'Network and Sharing Center', and optionally 'Wireless Networking'. With regards to 'Wireless Networking' part, VirtualBox does not support wirless adapters (only simulates Ethernet), which means you cannot add or see wirless adapter in Windows Device Manager. However, you can attach a USB Wi-Fi stick to guest OS and connect directly to Wi-Fi router.
  • Remote Connections, untick 'Remote Desktop Connection'.
  • Security, untick everything.
  • System Services, leave it alone.
  • User Interface, untick 'Help', 'Microsoft Speech API', and 'Accessibility'.
  • Resolve Dependencies. Choose 'Unbranded Startup Screens', 'Windows Boot Environment', 'Standard Windows USB Stack' and 'Windows Explorer Shell' (a MSUT). Some previously unticked feature might be ticked again as a dependency of some other features.

Add more features

Suppose you have unticked an feature (i.e. IE 8), and want to add it back after installation, do the following:

  1. Find the feature package cabinet file from ISO, like DS/Packages/FeaturePack/x86~winemb-ie-explorer~~~~6.1.7600.16385~1.0/WinEmb-IE-Explorer.cab.
  2. Use Pkgmr or DISM command line to install the cabinet file. dism is far more powerful than what you think. For example, you can use it to check a cabinet file information.
# Do it in an elevated command prompt.
Pkgmgr /?
DISM /Online /Add-Package /PackagePath:"C:\Users\Brink\Desktop\WinEmb-IE-Explorer.cab"
Pkgmgr /ip /m:C:\Users\Brink\Desktop\WinEmb-IE-Explorer.cab
# restart system as requested



  1. Windows XP Professional VOL SP3 x86


  2. Windows Emebedded 7 Standard x86


Key Management Server (KMS)

KMS activation is not permanent.

A Microsoft Key Management Server (KMS) is a legitimate service offered under Microsoft Volume Activation 2.0 solution which is used to activate volume licensed Microsoft products. It works with minimal administration intervention and allows automated activation of Microsoft products (i.e. Windows OS, Office, Visio etc.).

With KMS activation method, the client (Microsft products) contacts verification server periodically to renew license. Each activation holds the license for 180 days. I will not go into details on KMS mechanism.

Here, I will set up a self-hosted KMS server :) based on FOSS reverse engineering code. Before that, please review a few notes on KMS:

  1. KMS activates only Volume (VOL) licensing Microsoft products.

    'Windows Enterprise' is certainly VOL licensed while 'Windows Professionl' use either VOL license or retail license. Office versions downloaded from Microsoft MSDN and/or Technet are non-VOL. It's recommended to download VOL licensing editions from itellyou.cn.

    MAK activation method (one key forever) makes life easier on the premise that you succeed in finding a MAK key.

  2. Where to put the KMS server side?

    Intuitively, we can deploy it on Windows system to be activated. However, local server may be compromised by Windows updates or anti-virus software. Beginning with Windows 8.1 the KMS server must be a different computer than the client. You cannot use vlmcsd on the same computer where you want to activate a product. If you have only one computer, you can run vlmcsd in a virtual machine. It's better to put the server side on a alway-on devices like VPS.

KMS emulator

Among the other things, vlmcsd in C and py-kms in Python2 are the most popular KMS emulators. They can run on almost any platforms like Windows, Cygwin, Linux, Android, OpenWrt, Unix, BSD etc. Here, I choose vlmcsd on CentOS 7 as an example.

To set up KMS emulator on Windows system, you'd better use py-kms.

  1. Firstly, build binaries from source.

    root@tux / # cd /opt/
    root@tux opt # git clone --depth=1 https://github.com/Wind4/vlmcsd.git
    root@tux opt # cd vlmcsd
    root@tux opt # man man/vlmcsd.7
    root@tux opt # make
    root@tux opt # chown -R nobody: /opt/vlmcsd
    root@tux opt # cd bin
    root@tux opt # vlmcsd -h
    root@tux opt # vlmcs -h

    The author also provides pre-compiled binaries on Github relase page.

  2. Launch KMS server

    root@tux / # /opt/vlmcsd/bin/vlmcsd -g nobody -u nobody -o2 -L127.0.0.1:1688 -m1 -t5 -d -lsyslog -v -De
    root@tux / # /opt/vlmcsd/bin/vlmcsd -i /opt/vlmcsd/etc/vlmcsd.ini
    root@tux / # journalctl -xft vlmcsd

    The options -D and -e are useful for terminal debugging.

    We can load configuration file by the option -i and run vlmcsd in background, such that we can send the "HUP" signal to vlmcsd process without restarting.

    # man man/vlmcsd.ini.5
    User = nobody
    Group = nobody
    PublicIPProtectionLevel = 2
    Listen =
    MaxWorkers = 1
    ConnectionTimeout = 5
    DisconnectClientsImmediately = TRUE
    LogFile = syslog
    LogVerbose = TRUE

    Command line options take precedence over the respective configuration line in the .ini file. For example, -k (do not disconnect clients) on command line overrides 'DisconnectClientsImmediately = TRUE'.

    About configuration options, please check etc/vlmcsd.ini.

  3. Firewalld

    Make sure the relevant port are accessible from outside.

  4. Test KMS server locally

    user@tux ~ # journalctl -xft vlmcsd
    user@tux ~ # /opt/vlmcsd/bin/vlmcs -v -e  # print examples
    user@tux ~ # /opt/vlmcsd/bin/vlmcs -v -x        # print supported Windows and Office versions
    user@tux ~ # /opt/vlmcsd/bin/vlmcs -v -l 35     # activate Windows 7 Enterprise
    1. vlmcs tests against a KMS server that can be a vlmcsd emulator or a real Microsoft KMS.
    2. A Microsoft KMS sends correct activation messages only if it detects a certain minimum of clients (25 for Windows client OSses, 5 otherwise) on the network. This is Microsoft's futile attempt to prevent running a KMS server in a home environment. Use the -n argument to charges a KMS server. The vlmcsd emulator is always fully charged, so I set MaxWorkers to 1. If -n is larger than 1, vlmcsd will report RPC error.
    3. The above vlmcs client runs in the same host as vlmcsd. Repeat the test from your PC to see what happens.
  5. Systemd unit (/etc/systemd/system/vlmcsd.service)

    Description=KMS emulator
    ExecStart=/opt/vlmcsd/bin/vlmcsd -i /opt/vlmcsd/etc/vlmcsd.ini

    There is no point in leaving this service always online as long as you remember to activate the product every 180 days.


KMS recognizes product type by General Volume License Key (GVLK). If you accidentally ignore GVLK during installation or entered the some other keys (i.e. invalid MAK key) afterwards, please restore Windows GVLKs (a.k.a KMS Client Setup Key), Office GVLKs. Open an elevated command prompt on the client Windows:

For Windows:

slmgr /ipk <GVLK>

For Office:

cd C:\Program Files\Microsoft Office\Office16
cscript ospp.vbs
cscript ospp.vbs /inpkey:<GVLK>

Choose an approprate GVLK in accord with reference link above. Do *not fill GVLK in product itself. Always use the command line!

slmgr is for Windows OS and usually resides in the system32 directory. ospp.vbs is for Office 2010/2013/2016. To use it, we should first change the current directory Office's installation. slmgr.vbs and cscript ospp.vbs without parameters print help message.

You'll have to install a volume license (VL) version of Office. Office versions downloaded from MSDN and/or Technet are non-VL. If you happened to install a retail licensing product (i.e. OEM, Home, and Ultimate Windows), then in all likelihood KMS is out of your luck. To check Windows version on command line:

wmic os get caption

There exist some inofficial GVLKs for retail licensing Windows, which can be found in vlmcsd.7 man page. Hence, why not attempt to convert Windows to a KMS client as stated above? The only difference is that those inofficial GVLKs hold each activation for 45 or 30 days.

About Office, if you happened to install a retail version (i.e. Office 16 Pro Plus retail, Visio included), there exists a script to help you convert the retail version to VOL version. If you have tried to input different MAK keys before the conversion or the product brings in a default MAK key, you should first remove them before KMS activation.

cscript ospp.vbs /dstatus
cscript ospp.vbs /unpkey:<last-5-digits>

You are highly recommended to install and activate Visio 2016 Pro before other office components. inpkey automatically assigns the keys to Office or Visio.

Configure a client

For Windows OS, skms means set KMS:

slmgr.vbs /skms <kms-server[:tcp-port]>

For Office, it is optional if Windows OS already sets that.

cd C:\Program Files\Microsoft Office\Office16
# -or-
cd C:/Program Files(x86)/Microsoft Office/Office16
cscript ospp.vbs /sethst:<kms-server>
cscript ospp.vbs /setprt:<tcp-port>

Activate a product

After telling a client the KMS address, Windows contacts it for activation on demands. To activate Windows system immediately, right click Computer, select Properties and activate there. Alternatively, do it on command line:

slmgr.vbs /ato
slmgr.vbs /xpr
slmgr.vbs /dlv

Similarly for Office:

cscript ospp.vbs /act
cscript ospp.vbs /dstatus


  1. KMS Client Setup Keys
  2. 使用vlmcsd自建KMS服务~一句命令激活windows/office
  3. KMS服务器搭建
  4. Windows、Office KMS 激活服务器搭建
  5. 非Windows平台上的仿真KMS服务器