SysHardener: Harden Windows Settings

Discussion in 'other anti-malware software' started by novirusthanks, Feb 26, 2018.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    Yes you are quite correct and I understand if you have many users on PC it would be multi-task to run for each user.

    Not sure how others or your choice method can best adapt to the particular different circumstance.

    I also utilize VBS scripts that automate to change Windows-Security etc but are confined to individual machines w/o additional users per machine, perhaps saving rules per user might work in that setting?
     
  2. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    You should add an option to make UAC always ask for a password, even for admin accounts.
     
  3. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released SysHardener v1.1:
    http://www.novirusthanks.org/products/syshardener/

    Screenshots of the new tabs:

    syshardener-1.1.png

    Here is the changelog:

    + Fixed tweaks related to Foxit Reader
    + Fixed "Set Macros Security to "Very High" in Kingsoft WPS Office"
    + Enabled "Turn Off WinHTTP Web Proxy Auto-Discovery Service":
    *** References: Project Zero: aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript
    + Added an "info" icon that on click it opens a web page
    + Ask to create a system restore point
    + Support parameter "/createrestorepoint" from command-line
    + New option "Disable PowerShell Script Execution (Windows 7+)"
    + New option "Restric PowerShell (v3+) to Constrained Language Mode"
    + New option "Configure Behavior of UAC Prompt for Administrators"
    + New option "Configure Behavior of UAC Prompt for Users"
    + Added "System Tools" tab to open useful system tools
    + Minor fixes and optimizations
    + Updated help file
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,501
    Location:
    U.S.A. (South)
    kk.jpg Uh well, comes another. Thank You andreas.
     
    Last edited: Mar 2, 2018
  5. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,168
    Updated. No issues so far. Thank you very much, Andreas.
     
  6. guest

    guest Guest

    same here.
     
  7. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,104
    Location:
    South Texas, USA
    Updated no problem! Quick question, if I already run UAC at its highest, should I just leave those entries alone?
     

    Attached Files:

  8. guest

    guest Guest

    Better tick them, it won't hurt. SH applied its rules so if you let them as default maybe they will change your settings.
     
  9. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    338
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power]
    "HiberFileSizePercent"=dword:00000000
    "HibernateEnabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management]
    "DisablePagingExecutive"=dword:00000001
    "LargeSystemCache"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
    "NtfsDisableLastAccessUpdate"=dword:00000001
    "NtfsMemoryUsage"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
    "EnableSuperfetch"=dword:00000000
    "EnablePrefetcher"=dword:00000000
    "EnableBootTrace"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
    "AlwaysUnloadDLL"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
    "AlwaysUnloadDLL"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
    "EnableLog"=dword:00000000
    "EnableDpxLog"=dword:00000000

    [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting]
    "LoggingDisabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting]
    "Disabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Configuration]
    "DisableComponentBackups"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DPS]
    "Start"=dword:00000004

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider]
    "Start"=dword:00000004

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TrkWks]
    "Start"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics]
    "EnabledExecution"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoInstrumentation"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance]
    "DisableDiagnosticTracing"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance\BootCKCLSettings]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance\ShutdownCKCLSettings]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]
    "SMB1"=dword:00000000
    "SMB2"=dword:00000000
    "SMB3"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization]
    "RestrictImplicitTextCollection"=dword:00000001
    "RestrictImplicitInkCollection"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting]
    "Disabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC]
    "PreventHandwritingDataSharing"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0]
    "NoImplicitFeedback"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
    "DisableInventory"=dword:00000001
    "DisableUAR"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors]
    "DisableLocation"=dword:00000001
    "DisableSensors"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows]
    "CEIPEnable"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\DiagTrack]
    "Start"=dword:00000004

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WMDRM]
    "DisableOnline"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control]
    "NoRegistration"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\WBEM\CIMOM]
    "EnableEvents"=dword:00000000
    "Logging"="0"

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem]
    "NtfsDisable8dot3NameCreation"=dword:00000001



    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WDI\Config]
    "SEMEnabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog]
    "Start"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot]
    "Start"=dword:00000000


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoInternetOpenWith"=dword:00000001
    "NoRecentDocsNetHood"=dword:00000001
    "NoRecentDocsHistory"=dword:00000001
    "NoRecentDocsMenu"=dword:00000001
    "NoDriveTypeAutoRun"=dword:000000dd
    "NoLowDiskSpaceChecks"=dword:00000001
    "NoInstrumentation"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer]
    "fDenyTSConnection"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
    "NtfsDisableLastAccessUpdate"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
    "DisableExceptionChainValidation"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    "CWDIllegalInDllSearch"=dword:00000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableInstallerDetection"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]
    "Enable"="N"
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,104
    Location:
    South Texas, USA
    Thanks, I actually had to configure those to have the same effect of UAC Hightest Setting, but I think I got it.
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,879
    Location:
    Poland - Cracow
    Vista 32-bit - I can't launch system tools - no alert...no new window...nothing :(
     
  12. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    This one is no longer valid (MS changed it to avoid it being disabled), in order to disable it, they should use:
    Code:
    reg add "HKLM\System\ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
    By the way @liba a nice sum up, how did you export it, using ProcMon?
     
  13. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    338
    Thank for the info.

    https://www.nirsoft.net/utils/reg_file_from_application.html
     
  14. 142395

    142395 Guest

    Do you have a source? Basically, ControlSet001 is just a backup of CurrentControlSet so changing either one should have the nearly same effect except when you have many ControlSets and for some reason other set than 001 is used. You can check HKLM\Select key to see what control set was/will be used in certain time or condition. In my system, there's only ControlSet001 so I have so far no chance that other control set can be used, tho control set can be added for some reason.
     
  15. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,104
    Location:
    South Texas, USA
    Not sure what's going on here but SysHardener doesn't disable WinHTTP Web Proxy Auto-Discovery Service on my computer. I see it's only dependent is IP Helper which is also disabled by SysHardener.
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    It is not listed as a reg tweak above, so they are probably using "sc config WinHttpAutoProxySvc start= disabled", but that will not do, that service is locked since 1709. They should use:
    Code:
    reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
    I was using it myself, but it stopped working in 1703, then I found the latter, maybe it was changed in 1709, but the CurrentControlSet001 works for me and the tracing is stopped.
     
    Last edited: Mar 6, 2018
  17. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,104
    Location:
    South Texas, USA
    Ok so it's not just me then, got it!

    It is probably done this way right now for various Windows version compatibility I suppose. Andreas so like its been pointed out, is SysHardener not full Windows 1709 compatible?
     
    Last edited: Mar 6, 2018
  18. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,154
  19. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,885
    Location:
    Under a bushel ...
    :thumb:

    OT, but Andy Ful's other utilities are probably exploring as well. Are there any related threads here on Wilders, or just on MT?
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,623
    Location:
    Italy
    Configure Defender is not signed.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,577
    Location:
    The Netherlands
  23. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    Very interesting tool with some features I haven't seen before, but it completely killed my connectivity to my PLEX server which is on my local network, not remote. Not sure which specific setting cut off the connectivity so I can uncheck it. Only was able to get it back doing a full Windows Firewall reset.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    I am having trouble with powershell constrained mode.
    I enabled this setting in syshardener, but I do not think it worked. In advanced system properties/environment variables, I do not see a powershell value, so it seems to be at default.
    And when I run
    $ExecutionContext.SessionState.LanguageMode
    in powershell, it returns FullLanguage.

    @novirusthanks please check this feature out to make sure it is working properly.

    background info: I had previously enabled constrained language, by running the powershell script
    [Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')

    But after I enabled constrained language in SH, the language went back to full.
    Maybe SH toggles the variable between full and constrained, so it depends on the previous state? Just trying to guess what went wrong over here...
     
    Last edited: Mar 11, 2018
  25. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,029
    Location:
    Italy
    Released a new version SysHardener v1.2:
    http://www.novirusthanks.org/products/syshardener/

    sysh2.png

    This is the changelog:

    + Fixed disabling of WinHTTP Web Proxy Auto-Discovery Service
    + Fixed enabling of PowerShell Constrained Language Mode
    + Fixed disabling of PowerShell Script Execution
    + Added button "Windows Features" on "System Tools" tab
    + Added button "Active Connections" on "System Tools" tab
    + Added button "Event Viewer" on "System Tools" tab
    + Added button "DCOMCNFG" on "System Tools" tab
    + New option "Turn Off HomeGroup Provider Service"
    + New option "Turn Off Program Compatibility Assistant Service"
    + New option "Change PowerShell Execution Policy for Current User"
    + New option "Turn Off DNS Client (Dnscache) Service"
    + New option "Turn Off Windows Search Service"
    + New option "Turn Off SMBv1"
    + New option "Turn Off SMBv2\v3"
    + New option "Disable SMB on Port 445 (SMBDeviceEnabled)"
    + New option "Disable NetBIOS over TCP/IP on All Network Interfaces"
    + New option "Turn Off Sidebar and Desktop Gadgets"
    + New option "Disable DCOM (OLE)"
    + New option "Turn Off Server (LanmanServer) Service"
    + New option "Block Oubound Connections for Eventvwr.exe"
    + New option "Block Oubound Connections for MMC.exe"
    + New option "Block Oubound Connections for Wmic.exe"
    + New option "Disable PowerShell v2.0 Engine"
    + New option "Block Outbound Connections for Rundll32.exe"
    + New option "Block Outbound Connections for PresentationHost.exe"
    + Disabled by default some Windows Firewall options
    + Added top-menu (File\Help) to the main window
    + Minor fixes and optimizations
    + Updated help file

    @shmu26 @dja2k

    Reported issues are fixed in v1.2, thanks for reporting them.

    @OB1W4N5

    Some Windows Firewall rules may break something on Windows Server.

    I disabled a few Windows Firewall rules by default in v1.2.

    @Azure Phoenix

    We'll check if is possible to add that options.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.