Windows Administrative Tools

A+ Core 2 — 220-1102 | Domain 1.6

MMC, Computer Management, Device Manager, Event Viewer, Task Scheduler, Services, Registry Editor, and more. The tools every Windows technician must know cold.

19 Slides Domain 1.6 MMC • compmgmt.msc • devmgmt.msc • regedit Exam 220-1102

Slide 2 of 19

Microsoft Management Console (MMC)

MMC is not a tool — it is a framework. Snap-ins are the tools. mmc.exe is the container.

What Is a Snap-in?

A modular administrative tool that plugs into the MMC container. Snap-ins are .dll files registered with MMC. Device Manager, Disk Management, Event Viewer, Services, and Group Policy are all snap-ins.

.msc Files

MMC consoles are saved as .msc (Microsoft Saved Console) files. When you run devmgmt.msc, you launch MMC with the Device Manager snap-in pre-loaded. You can build custom consoles by combining snap-ins.

Custom Consoles

Win + R → mmc opens a blank MMC. File → Add/Remove Snap-ins lets you assemble a custom console with exactly the tools you use most. Save as yourname.msc for quick daily access.

Slide 3 of 19

Computer Management

compmgmt.msc — one console that consolidates the most-used administrative snap-ins.

System Tools

Task Scheduler, Event Viewer, Shared Folders, Local Users and Groups, Performance Monitor, Device Manager. Core system monitoring and configuration utilities all accessible from one tree pane.

Storage

Disk Management: create, delete, format, resize partitions; assign drive letters; initialize new drives. Windows Disk Defragmenter (legacy). The disk operations you need most are in this single node.

Services and Applications

Services: start, stop, and configure startup type for all Windows services. WMI Control: Windows Management Instrumentation configuration. Routing and Remote Access on server editions.

Access Methods

Win + R → compmgmt.msc. Right-click This PC → Manage. Search bar → "Computer Management." All three produce the same result. Right-click This PC is the fastest for technicians using a mouse.

Remote Management

Right-click "Computer Management (Local)" → Connect to another computer. Enter the remote hostname or IP. Allows you to manage remote systems using the same familiar interface. Requires admin credentials on the remote system.

Slide 4 of 19

Device Manager

devmgmt.msc — every hardware device, its driver, and its status in one view.

Yellow Triangle

Driver problem or resource conflict. The device is installed but not functioning correctly. Double-click for error code (e.g., Code 43: device has stopped working). Action: update driver, roll back driver, or check for hardware conflict.

Red X

Device is disabled or has a critical failure preventing operation. Right-click → Enable Device to re-enable a manually disabled device. Red X can also indicate the device is not recognized at all (missing driver).

Down Arrow

Device has been manually disabled by an administrator or user. Common for unused hardware ports. Right-click → Enable Device. Does not indicate a fault — it is an intentional administrative state.

Action	When to Use
Update Driver	Device not functioning; newer driver available; post-OS upgrade
Roll Back Driver	Device stopped working after a driver update; previous version was stable
Uninstall Device	Complete removal; Windows will rediscover on next boot or scan
Scan for Hardware Changes	After physically adding a device that was not auto-detected
Properties → Resources	Check IRQ, I/O, and DMA assignments; identify resource conflicts

Slide 5 of 19

Event Viewer

eventvwr.msc — the audit trail for everything that happens on a Windows system.

Windows Logs

Application: errors and warnings from installed applications. Security: logon/logoff events, privilege use, object access (requires auditing enabled). System: Windows component and driver events. Setup: installation events.

Event Levels

Information: normal operation logged. Warning: potential problem, not yet critical (e.g., low disk space). Error: significant problem occurred; functionality may be impaired. Critical: system or application failure requiring immediate attention.

Event ID

Each event type has a numeric ID. Event ID 4625 = failed logon. Event ID 7036 = service started/stopped. Event ID 41 = unexpected shutdown (Kernel-Power). Knowing key IDs speeds troubleshooting significantly.

Filtering

Right-click any log → Filter Current Log. Filter by event level, event ID, source, and time range. "Find" (Ctrl+F) searches event descriptions. Custom Views let you save useful filters and reuse them. Critical troubleshooting skill — the logs contain thousands of entries; unfiltered views are unusable.

Slide 6 of 19

Task Scheduler

taskschd.msc — automate any executable, script, or program on a time or event trigger.

Triggers

On a schedule (one time, daily, weekly, monthly). At logon or logoff. At startup or system event. When a specific event log entry is written. When a user becomes idle. Multiple triggers can be combined on a single task.

Actions

Start a program (most common): runs an .exe, .bat, .ps1, or any executable. Send an email (deprecated in Windows 8+). Display a message (deprecated). Actions can be chained: run script A, then script B.

Run As / Security

Tasks can run as the logged-in user, a specified service account, or SYSTEM. "Run whether user is logged on or not" is essential for unattended tasks. "Run with highest privileges" elevates the task to admin level automatically.

A helpdesk manager needs a script to check disk space nightly and email a report if any volume is above 90% utilization. Task Scheduler: trigger = daily at 2:00 AM, action = run disk-check.ps1, run as SYSTEM, run whether user is logged on or not. No human intervention required after setup.

Slide 7 of 19

Windows Services

services.msc — every background process that runs independently of any user session.

Startup Types

Automatic: starts with Windows. Automatic (Delayed Start): starts a short time after boot to reduce startup load. Manual: starts only when called by another process or user. Disabled: cannot start until startup type is changed. Trigger Start: starts on a specific system event.

Recovery Actions

For each failure (1st, 2nd, subsequent): restart the service, restart the computer, or run a program. Configure via service Properties → Recovery tab. Critical services like Windows Defender should restart on failure automatically.

Log On As

Services run under a security context: Local System (full local rights, no network access by default), Local Service (reduced rights), Network Service (network rights with machine credentials), or a specific domain service account. Incorrect service account is a common misconfiguration.

Exam Tip

Know the difference between Automatic and Automatic (Delayed Start). Delayed Start was introduced to improve boot performance by spreading service startup over time. A service set to Delayed Start that "is not running when you need it immediately after boot" is working as designed.

Slide 8 of 19

Disk Management

diskmgmt.msc — initialize, partition, format, and manage volumes without third-party tools.

Disk Initialization

New drives show as "Not Initialized" in Disk Management. Must initialize before creating partitions. MBR (Master Boot Record): max 2 TB, max 4 primary partitions, compatible with all OS versions. GPT (GUID Partition Table): supports drives over 2 TB, up to 128 partitions, required for UEFI boot.

Volume Types

Simple: single disk, basic functionality. Spanned: one logical volume across multiple disks (no redundancy). Striped (RAID 0): performance, no redundancy. Mirrored (RAID 1): redundancy, no performance gain. RAID 5: requires 3+ disks, parity for fault tolerance.

Action	Procedure	Notes
Shrink Volume	Right-click volume → Shrink Volume	Cannot shrink below unmovable data
Extend Volume	Right-click volume → Extend Volume	Contiguous unallocated space must exist to the right
Change Drive Letter	Right-click volume → Change Drive Letter and Paths	Can break apps that hard-code paths
Format	Right-click volume → Format	NTFS for Windows system; exFAT for cross-platform USB

Slide 9 of 19

Performance Monitor

perfmon.msc — real-time and historical performance data collection and analysis.

Performance Counters

Processor: % Processor Time. Memory: Available MBytes, Pages/sec. LogicalDisk: % Disk Time, Avg. Disk Queue Length. Network Interface: Bytes Total/sec. Add any counter to the real-time graph for live monitoring.

Data Collector Sets

Groups of counters saved to log files for historical analysis. Run overnight or over a week to capture baseline performance. Compare peak-time logs against baseline to identify trends. Essential for capacity planning and SLA reporting.

Resource Monitor

Launched from Task Manager (Performance tab → Open Resource Monitor) or perfmon /res. Shows real-time CPU, memory, disk, and network usage with per-process breakdown. More detail than Task Manager; less setup than Performance Monitor.

Key Baseline Counters

Memory: Pages/sec above 20 indicates memory pressure. Disk: Avg Disk Queue Length above 2 sustained indicates disk bottleneck. CPU: % Processor Time above 85% sustained indicates CPU saturation. These thresholds drive hardware upgrade decisions.

Slide 10 of 19

Registry Editor

regedit.exe — the hierarchical database that stores all Windows and application configuration.

Hive	Contents
HKEY_LOCAL_MACHINE (HKLM)	System-wide settings, hardware, and installed software config. Applies to all users.
HKEY_CURRENT_USER (HKCU)	Current logged-in user settings: desktop, preferences, per-user software config.
HKEY_CLASSES_ROOT (HKCR)	File associations and COM object registrations. Merge of HKLM and HKCU software keys.
HKEY_USERS (HKU)	All user profiles loaded on the system.
HKEY_CURRENT_CONFIG (HKCC)	Current hardware profile (subset of HKLM).

DANGER: Backup First

Incorrect registry edits can prevent Windows from booting. Always export (File → Export) the specific key before modifying it. Never edit the live registry on a production system without a backup or snapshot.

Remote Registry

File → Connect Network Registry. Enter remote hostname. Allows remote registry editing without RDP. Requires the Remote Registry service to be running on the target and appropriate permissions.

Run Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU equivalent control startup programs. Malware frequently persists here. Autoruns (Sysinternals) enumerates all run keys comprehensively.

Slide 11 of 19

Local Users & Groups

lusrmgr.msc — manage local accounts on a standalone or workgroup machine.

Built-in Accounts

Administrator: full system control; disabled by default in modern Windows. Guest: severely restricted; disabled by default; should remain disabled. DefaultAccount: managed by system; do not use. HelpAssistant: created during remote assistance sessions.

Built-in Groups

Administrators: full local control. Users: standard restricted access. Guests: most restricted. Remote Desktop Users: allows RDP logon. Backup Operators: backup/restore rights bypassing file permissions. Power Users: legacy group, reduced permissions in modern Windows.

Account Properties

Password never expires (service accounts). User must change password at next logon (new account distribution). Account is disabled. Account lockout status. Profile path, logon script, and home folder configuration for roaming profiles.

A technician creates a new standard user account for a contractor. The account is set to expire in 90 days, "User must change password at next logon" is checked, and the account is added only to the Users group. On day 91 the account automatically expires — no manual cleanup required.

Slide 12 of 19

Group Policy & Local Policy

gpedit.msc (local) / gpmc.msc (domain) — enforce security and configuration at scale.

Local Group Policy (gpedit.msc)

Applies to the local machine only. Two nodes: Computer Configuration (applies regardless of who logs in) and User Configuration (applies to the logged-in user). Available on Pro, Enterprise, and Education editions. Not on Windows Home.

Key Policy Areas

Password policies: minimum length, complexity, age, history. Account lockout: threshold, duration, observation window. Security options: UAC behavior, auditing, network security. Software restriction policies. Windows Firewall rules. All enforced without registry editing.

Policy Path	Controls
Computer Config → Windows Settings → Security Settings → Account Policies	Password and account lockout policies
Computer Config → Windows Settings → Security Settings → Local Policies	Audit policy, user rights, security options
User Config → Administrative Templates → Start Menu and Taskbar	Remove Run, lock down Start menu items
Computer Config → Admin Templates → Windows Components → Windows Update	Configure automatic update behavior

Slide 13 of 19

Task Manager

Ctrl+Shift+Esc — real-time process, performance, and startup visibility in one tool.

Processes Tab

All running apps and background processes. CPU, memory, disk, and network usage per process. Right-click → End Task to terminate a frozen process. Right-click → Open File Location to find the executable. Grouped by App, Background Process, and Windows Process.

Performance Tab

Real-time graphs for CPU, memory, disk, network, and GPU. Shows total RAM installed, in-use, and available. Open Resource Monitor link for deeper per-process breakdowns. CPU graph shows logical processors; right-click to change to logical view.

Startup Tab

All programs configured to launch at user logon. Startup Impact column rates each item: Low, Medium, High. Right-click → Disable to prevent an item from launching at startup without uninstalling it. Faster and safer than editing the registry Run keys.

Details Tab

Low-level process list with PIDs (Process IDs). Right-click → Set Priority. Right-click → Set Affinity to pin a process to specific CPU cores. Used for performance tuning and forensic analysis.

Services Tab

List of all services with status. Right-click → Start/Stop/Restart a service directly. "Open Services" link opens services.msc for full configuration access. Fastest way to restart a single service during troubleshooting.

App History Tab

CPU time and network usage accumulated by Windows Store apps over time. Useful for identifying apps consuming disproportionate background resources. Data accumulates since last manual reset.

Slide 14 of 19

System Configuration (msconfig)

Win + R → msconfig — boot options, safe mode, and selective startup for troubleshooting.

General Tab

Normal startup: loads all device drivers and services. Diagnostic startup: loads only basic drivers (like Safe Mode via GUI). Selective startup: choose which items load individually. Used to isolate startup causes for crashes or performance issues.

Boot Tab

Safe boot: Minimal, Network, or Alternate Shell. Safe boot checkbox makes the system boot into Safe Mode on next restart. Remove the check after troubleshooting or the system will stay in Safe Mode permanently. Timeout: how long the boot menu waits before auto-selecting.

Services Tab

Shows all services with enabled/disabled checkboxes. "Hide all Microsoft services" checkbox isolates third-party services. Disable all third-party services, reboot, and re-enable in groups to isolate a problematic service causing crashes or slowdowns.

Clean Boot Process

1. msconfig → Services → Hide all Microsoft services → Disable all. 2. Task Manager → Startup → Disable all. 3. Reboot. 4. Test. If problem resolves, re-enable items in batches to isolate the culprit. This is the A+ textbook approach to isolating software-caused issues.

Slide 15 of 19

System Information (msinfo32)

A read-only snapshot of every hardware and software component on the system.

System Summary

OS version, build, processor, RAM (installed and total), BIOS version, BIOS mode (Legacy vs UEFI), Secure Boot state, and system manufacturer. First stop when you need to document a system's hardware configuration.

Components

Detailed info on Display (driver version, resolution, VRAM), Sound, Network Adapters, Storage (controller and drive info), USB, and more. Each component node provides more detail than Device Manager's Properties dialog.

Software Environment

Installed drivers, running tasks, startup programs, environment variables, print jobs, network connections, and loaded modules. Useful for forensic review of what was running at a given time when combined with saved .nfo exports.

Saving Reports

File → Save (saves as .nfo, readable only in msinfo32) or File → Export (saves as plain text for documentation or ticketing). msinfo32 /report filename.txt at the command line saves a text report silently — useful in scripts for automated inventory collection.

Slide 16 of 19

PowerShell for Administration

The modern Windows administration shell. GUI tools are PowerShell with a wrapper.

Essential Cmdlets

                    # List running services

                    Get-Service | Where-Object {$_.Status -eq "Running"}

                    # Restart a service

                    Restart-Service -Name Spooler

                    # List installed software

                    Get-Package

                    # Disk info

                    Get-Disk

                    Get-Volume

                    # User accounts

                    Get-LocalUser

                    # Event logs

                    Get-EventLog -LogName System -Newest 20

Why PowerShell?

GUI tools require clicking through multiple windows. PowerShell executes the same task in one line and is scriptable. IT admins managing hundreds of machines cannot do it manually — PowerShell bridges the gap.

Execution Policy

Controls which scripts can run. Restricted: no scripts. RemoteSigned: local scripts ok; downloaded scripts need signature. Unrestricted: all scripts. Check with Get-ExecutionPolicy. Set with Set-ExecutionPolicy (requires elevation).

Get-Help

Get-Help Get-Service shows syntax, parameters, and examples for any cmdlet. Get-Help * lists all available commands. Update-Help downloads the latest documentation. The built-in help system eliminates the need to memorize syntax.

Slide 17 of 19

Command Prompt Admin Tools

Classic cmd.exe commands that remain essential for Windows administration and troubleshooting.

Command	Purpose	Key Option
net user	Create, modify, delete local user accounts	net user alice Pa$$w0rd /add
net localgroup	Manage local group membership	net localgroup Administrators alice /add
sc	Query and control Windows services	sc query spooler / sc stop spooler
sfc /scannow	System File Checker: scan and repair protected system files	Run elevated; results in CBS.log
DISM	Deployment Image Servicing: repair Windows component store	DISM /Online /Cleanup-Image /RestoreHealth
chkdsk	Check disk for errors and bad sectors	chkdsk C: /f /r (requires reboot)
gpupdate /force	Immediately apply Group Policy changes	/force bypasses change-detection logic
gpresult /r	Show applied Group Policy objects for current user and computer	/h filename.html for full HTML report

Slide 18 of 19

.MSC Quick Reference

Every .msc file you need to know for the 220-1102 exam, in one place.

Run Command	Tool Name	Primary Use
compmgmt.msc	Computer Management	All-in-one admin console: Device Manager, Disk, Services, Users
devmgmt.msc	Device Manager	Driver management and hardware troubleshooting
diskmgmt.msc	Disk Management	Partitioning, formatting, drive letter assignment
eventvwr.msc	Event Viewer	System, security, and application event logs
services.msc	Services	Start/stop services; configure startup type and recovery
taskschd.msc	Task Scheduler	Automate scripts and programs on time or event triggers
perfmon.msc	Performance Monitor	Real-time counters and historical data collection
gpedit.msc	Local Group Policy Editor	Local security and configuration policies (non-Home editions)
lusrmgr.msc	Local Users and Groups	Manage local accounts and group membership
regedit.exe	Registry Editor	Read/write Windows registry (use with caution)
msconfig.exe	System Configuration	Boot options, selective startup, clean boot for troubleshooting
msinfo32.exe	System Information	Full hardware and software snapshot; read-only

Slide 19 of 19

Domain 1.6 Key Facts

Windows Administrative Tools — condensed for exam review.

1

MMC is the container; snap-ins are the tools. .msc files are saved snap-in configurations. mmc.exe alone opens a blank console.

2

devmgmt.msc: yellow triangle = driver problem, red X = disabled/failed, down arrow = manually disabled. Roll Back Driver is the fix after a bad update.

3

eventvwr.msc: Security log requires auditing to be enabled. Event ID 4625 = failed logon. Filter by Event ID for rapid diagnosis. Custom Views save filter configurations.

4

Services startup types: Automatic, Automatic (Delayed Start), Manual, Disabled, Trigger Start. Delayed Start is by design — not a fault.

5

diskmgmt.msc: MBR = max 2 TB, 4 primary partitions. GPT = large drives, 128 partitions, UEFI required. Initialize before partitioning.

6

Registry hives: HKLM = machine-wide. HKCU = current user. HKCR = file associations. Export before editing. Run keys are common malware persistence points.

7

msconfig clean boot: hide Microsoft services, disable third-party, disable startups, reboot. Re-enable in batches to isolate the culprit.

8

sfc /scannow repairs system files. DISM /RestoreHealth repairs the component store first when sfc fails. Run DISM before sfc when both are needed.

Windows Administrative Tools | A+ Core 2