Don't restrict msiexec.exe (it is on Florian's old lists).Thanks for the confirmation. I was afraid specially of breaking Windows updates. They can break easily, and sometimes, it is hard to find the fix.
You can restrict wusa.exe for home Windows versions (the command line Windows Update utility - it is on Florian's oldest list).
The last time that I saw Windows Update use an interpreter was the GWX Windows 10 Upgrade utility; it used powershell.
powershell is used when installing (but not updating) a small number of softs like Microsoft Office and DropBox.
The rationale for items that Florian removes from his list:
1. disabling them caused too many issues (very rare, and even then not always the case); and\or
2. rarely abused
3. with everything else on the list disabled, there is very little to almost no probability of persistent infection
SRP that disables the bulk of vulnerable processes on home versions of Windows, very little to no problem. On a test system I have 99% of them disabled and only run into to one being blocked once in a great while. Most of the stuff just is not used on a routine basis.
The incidence of blockages increases with the number of software installed on a system. However, something being blocked is not critical as it can be allowed temporarily or permanently as needed. Disabling the stuff that we are talking about does not kill Windows.
Last edited by a moderator: