Hard_Configurator - Windows Hardening Configurator

Sunshine-boy · Oct 26, 2017

When I turn off the recommendeSRP and refresh the explorer the disk usage goes high(99%) and my FPS drop in the game so I have to restart the pc and everything back to normal again.
For every disabling and enabling rules, i have to restart the pc or the disk usage break my works

I'm not sure why but this happen only when I chose refresh explorer from the GUI.

Andy Ful · Oct 26, 2017

Sunshine-boy said:
When I turn off the recommendeSRP settings and refresh the explorer the disk usage goes high(99%) and my FPS drop in the game so I have to restart the pc and everything back to normal again.
For every disabling and enabling rules, i have to restart the pc or the disk usage break my works I'm not sure why but this happen only when I chose refresh explorer from the GUI.

I noticed this behavior with some games which do not like refreshing Explorer.

You have to choose "LOG OFF" to apply changes.

Sunshine-boy · Oct 26, 2017

So this is not about your tool right? it's about the win and the game itself

Thnx for the answer.

Andy Ful · Oct 26, 2017

Sunshine-boy said:
So this is not about your tool right? it's about the win and the game itself
Thnx for the answer.

Yes. Refresh Explorer = close all Explorer threads and next start Explorer. The new Explorer reads again some changed Registry settings (for example related to SRP). Some applications (rarely) can be fooled by this, and do not work properly.
.
Edit
My advice, close applications and then configure Hard_Configurator settings.

Andy Ful · Oct 27, 2017

The new Hard_Configurator beta 3.1.0.0 is available on GitHub:
For Windows 64-bit:
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
For Windows 32-bit:
Hard_Configurator/Hard_Configurator_setup(x86)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
The installers were uploaded to Microsoft, Emsisoft and Norton, as false positives and should be whitelisted with yesterday signatures.They are not included in SmartScreen signatures (it will take some months).

Andy Ful · Oct 27, 2017

It seems (surprisingly), that the 64-bit version is from today accepted by SmartScreen.

shmu26 · Oct 27, 2017

Andy Ful said:
The new Hard_Configurator beta 3.1.0.0 is available on GitHub:
For Windows 64-bit:
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
For Windows 32-bit:
Hard_Configurator/Hard_Configurator_setup(x86)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
The installers were uploaded to Microsoft, Emsisoft and Norton, as false positives and should be whitelisted with yesterday signatures.They are not included in SmartScreen signatures (it will take some months).

Any notable changes that we might want to know about?

Andy Ful · Oct 27, 2017

shmu26 said:
Any notable changes that we might want to know about?

Blocked external utilities (Nirsoft FullEventLogView, Sysinternals Autoruns, 7-Zip) as standard user, in '%SystemRoot%\Hard_Configurator' folder.
Hard_Configurator does not use NirSoft NirCmd.
Added <Disable Cached Logons> and <UAC CTRL_ALT_DEL> buttons to harden credentials protection outside the home network.
Added backup management for Profile Base (whitelist profiles and setting profiles can be 'exported to'/'imported from' one compressed file).
Removed the option <No Removable Disks Exec.>.
Corrected the bug related to Maximum Shadow Copy Storage space.
Corrected the <Disable SMB> displaying '?' when SMB 1.0 is not installed (as in Windows 10 Fall Creators Update).
Added 'Restart Computer' possibility after <APPLY CHANGES>, when the changed settings are related to drivers (SMB protocol).
Updated Hard_Configurator manual (with some corrections).

Hard_Configurator uses Nirsoft FullEventLogView, Sysinternals Autoruns, and 7-Zip with administrative rights, so they can be safely blocked as standard user in Hard_Configurator folder.
The new options <Disable Cached Logons> and <UAC CTRL_ALT_DEL> can be relevant outside the home network. The option <Disable Cached Logons> can be the useful hardening, when using Active Directory.
Some AVs did not like NirCmd, so I skipped it in the new version.
Hard_Configurator uses Profile Base where the actual settings and actual SRP White List can be stored and quickly restored if required. In the new version, the Profile Base can be archived to file with the password. It can be useful when someone is planning to make the fresh Windows installation.
The option <No Removable Disks Exec.> was removed because it was reported to falsely recognize
fixed disks. This Windows feature is not necessary for Hard_Configurator, because from Windows Vista SP2, the AutoRun is active only for CD/DVD drives (when pressing the drive icon).

Daniel Keller · Oct 27, 2017

Hey Andy,

Great work! Thank you so much for constant supporting this great tool...

Andy Ful · Oct 27, 2017

Daniel Keller said:
Hey Andy,

Great work! Thank you so much for constant supporting this great tool...

Your welcome. It is my hobby, anyway.

Av Gurus · Oct 27, 2017

When FCU is ON I got this error when try to install:

Av Gurus · Oct 27, 2017

Try to install VS with "Run As SmartScreen" and got this error:

Andy Ful · Oct 27, 2017

Av Gurus said:
Try to install VS with "Run As SmartScreen" and got this error:

View attachment 171052

Something blocks write access to: 'c:\Users\ \Desktop\InstallVoodooShield409beta.exe' .
'Run As SmartScreen' must add an alternate stream to file (as web browsers do with downloaded files) to force SmartScreen check.
Have you restricted write access to Desktop?
Edit.
It is related to your Controlled Folder Access settings. It will block most installers and applications from making changes on the Desktop. If you like such Desktop restrictions, then you will have to make application shortcuts manually - in the case of Hard_Configurator, make the shortcut to C:\Windows\Hard_Configurator\Hard_Configurator(x64).exe
With Controlled Folder Access you have 2 solutions related to "Run As SmartScreen:

Add C:\Windows\Hard_Configurator\RunAsSmartscreen(x64).exe to exclusion list
do not "Run As SmartScreen" from protected folders.

Av Gurus · Oct 27, 2017

Andy Ful said:
With Controlled Folder Access you have 2 solutions related to "Run As SmartScreen:

Add C:\Windows\Hard_Configurator\RunAsSmartscreen(x64).exe to exclusion list

This is working OK.
Tnx

Sunshine-boy · Nov 5, 2017

:notworthy:I just installed the new version! thanks for the new tweaks.
P.S:
I scared to enable the protect windows folders.what if my game wants to start smth from c: windows?
According to your explanations if the program starts with admin rights then your tool will not stop it right?!
How can I know the program started with admin right?
If I'm using the admin acc so I already ran my tools under the admin right?

Also is there any alert or error if smth got blocks?

Andy Ful · Nov 5, 2017

Sunshine-boy said:
:notworthy:I just installed the new version! thanks for the new tweaks.
P.S:
I scared to enable the protect windows folders.what if my game wants to start smth from c: windows?
According to your explanations if the program starts with admin rights then your tool will not stop it right?! How can i know the program started with admin right?

You should turn ON <Protect Windows Folder>. It closes the loophole in Windows protection. This feature protects only some Windows subfolders that have no executables, but are writable, so the malware can use it to drop executables and bypass whitelisting. Games are not using those folders to execute anything.

Sunshine-boy said:
Also is there any alert or error if smth got blocks?

Mostly, yes. Sometimes not. If you are curious, use the <Tools> - <Run SRP/Scripts EventLogView> to view blocked entries.

Sunshine-boy · Nov 5, 2017

Thanks for the answers:notworthy: I will enable it because I'm So Curious.
Keep up the good work hacker.

Andy Ful · Nov 18, 2017

It seems that the Attack Surface Reduction introduced in Windows 10 Fall Creators Update works also in Windows Home version. It can be configured when using PowerShell.
The bad news is that the rule 'Block Office applications from creating child processes' does not work with Microsoft Office 2007 and Open Office. It works well with Microsoft Office 2016.
So it is possible, that the below ASR features:

Block Office applications from creating child processes
Block Office applications from creating executable content
Block Office applications from injecting into other processes
Block Win32 imports from Macro code in Office

will work only with the office software still supported by Microsoft (MS Office 2010, 2013, 2016).
Unfortunately, I cannot test it for MS Office 2010 and MS Office 2013. I someone can then please let me know.

Av Gurus · Nov 18, 2017

I have in my virtual test PC MS Office Pro Plus 2013 and ASR is working OK.
You can check my tests in Malware Vault (Samples).

https://malwaretips.com/threads/17-11-17-13.77382/#post-690533

Andy Ful · Nov 18, 2017

Av Gurus said:
I have in my virtual test PC MS Office Pro Plus 2013 and ASR is working OK.
You can check my tests in Malware Vault (Samples).

https://malwaretips.com/threads/17-11-17-13.77382/#post-690533

View attachment 173863 View attachment 173864

Thanks. Defender used AttackSurfaceReductionRules_Id: D4F940AB-401B-4EFC-AADC-AD5F3C50688A, that is related to 'Block Office applications from creating child processes'.

Hard_Configurator - Windows Hardening Configurator

Level 28

From Hard_Configurator Tools

Level 28

From Hard_Configurator Tools

From Hard_Configurator Tools

From Hard_Configurator Tools

Level 85

From Hard_Configurator Tools

Level 2

From Hard_Configurator Tools

Level 29

Level 29

From Hard_Configurator Tools

Level 29

Level 28

From Hard_Configurator Tools

Level 28

From Hard_Configurator Tools

Level 29

From Hard_Configurator Tools

Similar threads