diff --git a/src_assets/windows/misc/gamepad/install-gamepad.bat b/src_assets/windows/misc/gamepad/install-gamepad.bat
index abbec0250b0..70b30d71d8e 100644
--- a/src_assets/windows/misc/gamepad/install-gamepad.bat
+++ b/src_assets/windows/misc/gamepad/install-gamepad.bat
@@ -48,18 +48,23 @@ for /f "tokens=3" %%a in ('reg query "HKCU\Software\Microsoft\Windows\CurrentVer
 rem get browser_download_url from asset 0 of https://api.github.com/repos/nefarius/vigembus/releases/latest
 set latest_release_url=https://api.github.com/repos/nefarius/vigembus/releases/latest
 
-rem Use curl to get the api response, and find the browser_download_url.
-rem `--connect-timeout 10 --max-time 20` ensures we don't hang for minutes if
-rem GitHub or the local network is unreachable during install.
-for /F "tokens=* USEBACKQ" %%F in (`curl -s --connect-timeout 10 --max-time 20 !proxy! -L %latest_release_url% ^| findstr browser_download_url`) do (
-  set browser_download_url=%%F
+rem Step 1: download release metadata via curl (preserves the existing proxy
+rem support through !proxy!). Saving to disk avoids piping a multi-megabyte
+rem JSON payload through cmd.exe's narrow `for /F` token buffer.
+set "release_json=%temp_dir%\vigembus_release.json"
+curl -f -s -L --connect-timeout 10 --max-time 20 !proxy! -o "%release_json%" "%latest_release_url%"
+if errorlevel 1 (
+  echo ERROR: Could not fetch ViGEmBus release metadata.
+  exit /b 1
 )
 
-rem Strip quotes
-set browser_download_url=%browser_download_url:"=%
+rem Step 2: parse the JSON via PowerShell ConvertFrom-Json instead of fragile
+rem findstr + substring stripping. The previous approach silently produced an
+rem invalid URL if the JSON layout shifted, or if any asset name contained
+rem characters that confused `set` parsing.
+for /F "tokens=* USEBACKQ delims=" %%F in (`powershell -NoProfile -Command "try { $r = Get-Content -LiteralPath '%release_json%' -Raw ^| ConvertFrom-Json; $a = $r.assets ^| Where-Object { $_.name -like '*.exe' } ^| Select-Object -First 1; if ($a -and $a.browser_download_url) { $a.browser_download_url } } catch { }"`) do set "browser_download_url=%%F"
 
-rem Remove the browser_download_url key
-set browser_download_url=%browser_download_url:browser_download_url: =%
+del /q "%release_json%" >nul 2>&1
 
 if "%browser_download_url%"=="" (
   echo ERROR: Could not resolve ViGEmBus download URL.
diff --git a/src_assets/windows/misc/migration/migrate-config.bat b/src_assets/windows/misc/migration/migrate-config.bat
index d35c48722dd..48cd76f909d 100644
--- a/src_assets/windows/misc/migration/migrate-config.bat
+++ b/src_assets/windows/misc/migration/migrate-config.bat
@@ -55,8 +55,12 @@ if exist "%OLD_DIR%\covers\" (
     if not exist "%NEW_DIR%\covers\" (
         move "%OLD_DIR%\covers" "%NEW_DIR%\"
 
-        rem Fix apps.json image path values that point at the old covers directory
-        powershell -c "(Get-Content '%NEW_DIR%\apps.json').replace('.\/covers\/', '.\/config\/covers\/') | Set-Content '%NEW_DIR%\apps.json'"
+        rem Fix apps.json image path values that point at the old covers directory.
+        rem Pass the path via environment to PowerShell and use -LiteralPath to avoid
+        rem PowerShell code injection if the install path contains characters like ' or $.
+        set "MIGRATE_APPS_JSON=%NEW_DIR%\apps.json"
+        powershell -NoProfile -Command "$p = $env:MIGRATE_APPS_JSON; (Get-Content -LiteralPath $p).Replace('.\/covers\/', '.\/config\/covers\/') | Set-Content -LiteralPath $p"
+        set "MIGRATE_APPS_JSON="
     )
 )
 
@@ -69,6 +73,8 @@ if exist "%NEW_DIR%\apps.json" (
     powershell -ExecutionPolicy Bypass -File "%~dp0migrate-images.ps1" "%NEW_DIR%"
 )
 
-rem Remove log files
-del "%OLD_DIR%\*.txt"
-del "%OLD_DIR%\*.log"
+rem Remove legacy Sunshine log files left at the install root by older versions.
+rem Restrict to known patterns instead of all *.txt / *.log to avoid clobbering
+rem user-placed files (e.g. notes, third-party README's) in the install dir.
+if exist "%OLD_DIR%\sunshine.log" del /q "%OLD_DIR%\sunshine.log" >nul 2>&1
+for %%F in ("%OLD_DIR%\sunshine.log.*") do if exist "%%~fF" del /q "%%~fF" >nul 2>&1
diff --git a/src_assets/windows/misc/vsink/install-vsink.bat b/src_assets/windows/misc/vsink/install-vsink.bat
index dc02c3365c4..4c61cbc5071 100644
--- a/src_assets/windows/misc/vsink/install-vsink.bat
+++ b/src_assets/windows/misc/vsink/install-vsink.bat
@@ -37,10 +37,25 @@ if %errorLevel% equ 0 (
 :: Set variables
 set "installer=VBCABLE_Driver_Pack43.zip"
 set "download_url=https://download.vb-audio.com/Download_CABLE/VBCABLE_Driver_Pack43.zip"
-set "temp_dir=%TEMP%\vb_cable_install"
 
-:: Create temp directory
-if not exist "%temp_dir%" mkdir "%temp_dir%"
+:: Use an unpredictable temp directory under the admin user's %TEMP% to defeat
+:: any pre-positioned binary at a guessable path. %TEMP% under an elevated
+:: shell is the admin's own profile (not world-writable), but using a fresh
+:: random directory eliminates the residual TOCTOU window between mkdir and
+:: VBCABLE_Setup_x64.exe launch.
+for /F "usebackq delims=" %%R in (`powershell -NoProfile -Command "[guid]::NewGuid().ToString('N')"`) do set "RAND_ID=%%R"
+if "%RAND_ID%"=="" set "RAND_ID=%RANDOM%%RANDOM%%RANDOM%"
+set "temp_dir=%TEMP%\sunshine-vbcable-%RAND_ID%"
+
+:: Create temp directory (start clean; refuse to proceed if pre-existing path
+:: cannot be removed, in case an attacker pre-created a hardlink/junction).
+if exist "%temp_dir%" rd /s /q "%temp_dir%"
+if exist "%temp_dir%" (
+    echo ERROR: Could not prepare temp directory: %temp_dir%
+    pause
+    exit /b 1
+)
+mkdir "%temp_dir%"
 
 :: Download installer
 echo Downloading VB-Cable driver...