Hard_Configurator - Windows Hardening Configurator

nadis

Level 1
Apr 21, 2020
14
On an H_C maximum settings VM, I created a test LNK to "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\Test.docx" and placed it onto the Desktop. The Desktop LNK file opens the test document.
The problem is not with target files being in those subfolders, but with shortcut (*.lnk) files. Such files are usually created when you install something.


The explanation of how one can whitelist shortcuts in H_C is included in the help for <Whitelist By Path> setting.
Thanks, got it now.

The way of allowing/blocking shortcuts was designed by me. I could whitelist shortcuts even deeper, but I do not think that it is necessary.
I don't see the need to have a limit there, at least not for reasonable folder depths. It can lead to confusion and frustration, also because there's no error message displayed (except in Event Viewer).
FWIW, such a path is created by default by the FurMark installer. According to the download page, it has over 450k downloads.
 
F

ForgottenSeer 95367

The problem is not with target files being in those subfolders, but with shortcut (*.lnk) files. Such files are usually created when you install something.
I tried the reverse test scenario; LNK file in ProgramData Start folder and the target file elsewhere in a 15 nested folder location. The LNK file is not blocked.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
FWIW, such a path is created by default by the FurMark installer. According to the download page, it has over 450k downloads.
OK. When the shortcut is blocked, you should see an alert. There is no need to search Event Log. The H_C has got a feature to identify blocked events via <Tools> <Blocked Events / Security Logs>.
Anyway, such rare cases can be whitelisted manually. In the next few years, it is possible that another developer will hide the shortcut even deeper. A simple solution is already explained & included in the H_C. (y)
You use GPO - it is worth recalling that H_C is not compatible with SRP activated via GPO.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
Yes, and I still don't see why H_C should block it. :) But I won't insist. Peace.
Thanks for your support. (y)
I avoid whitelisting anything, except if it is necessary. For now, I think that it is unnecessary (although it could slightly increase the usability). I may change my mind in the future. :)
 

simmerskool

Level 12
Verified
Well-known
Apr 16, 2017
591
Thanks, I'm sticking with VS for now, only because I know it better. I do now recall that I ran H_C in VMWare win10, (long story missing, have not been running vm for awhile)
Actually, I got my vmware workstation up and running win10, updated everything, and uninstalled VS as H_C was already installed & config'd circa 2019 on this vm, v5.1.1.2. I assume there's a newer version. can someone point me to the link for the current version as there's 192 pages in this thread. Thanks in advance!

updated edit: I found a link for webpage but it seems to be temp down as win11 has issue with H_C. I'm running win10 as ms doesn't like my xeon cpu.
 
Last edited:
  • Like
Reactions: Andy Ful
F

ForgottenSeer 95367

H_C was already installed & config'd circa 2019 on this vm, v5.1.1.2. I assume there's a newer version. can someone point me to the link for the current version as there's 192 pages in this thread. Thanks in advance!
Update button in upper left:

1664661895926.png


as win11 has issue with H_C.
Only W11 22H2 - which Microsoft has blocked access to it because of many problems with it. Microsoft broke a lot of stuff on W11 22H2, such as SRP and WDAC.
 

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
If you did not make a fresh install, then H_C should work with 22H2 update. You can test it by copying the H_C shortcut from the Desktop to your Downloads folder and executing this shortcut from the Downloads folder.
Anyway, if you will refresh the system then SRP restrictions will not work.

Andy,

is it only SRP rules that will not work in H_C if a fresh install of 22H2 is done, or will other functionality of H_C also break?
 
  • Like
Reactions: Andy Ful
F

ForgottenSeer 95367

Andy,

is it only SRP rules that will not work in H_C if a fresh install of 22H2 is done, or will other functionality of H_C also break?
22H2 does not break H_C; it breaks its own SRP and WDAC. H_C adds no features to Windows; it is only a front-end for security features shipped with Windows. Microsoft is breaking their own SRP and WDAC.
 

wat0114

Level 8
Verified
Well-known
Apr 5, 2021
363
22H2 does not break H_C; it breaks its own SRP and WDAC. H_C adds no features to Windows; it is only a front-end for security features shipped with Windows. Microsoft is breaking their own SRP and WDAC.

Thanks, I know H_C is only a front end for enabling Windows security features, but I just wanted to know if 22H2 somehow broke H_C's ability to do that.
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
hi do i need to run windows 11 security basline before running hard configurator?

thanks
No, you do not need to do this. Please note, that SRP will not work on clean installed Windows 11 (that includes 2020 update). Currently, Microsoft allows SRP only when upgrading from Windows 10 or updating from previous versions of Windows 11.
 
F

ForgottenSeer 95367

Currently, Microsoft allows SRP only when upgrading from Windows 10 or updating from previous versions of Windows 11.
Typical Microsoft. Did you figure this out by trial-and-error, or did you see Microsoft give guidance on this publicly?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
Typical Microsoft. Did you figure this out by trial-and-error, or did you see Microsoft give guidance on this publicly?
Both.
Microsoft announced that SAC is going to be installed only with clean Windows 11 (with 2022 update) - there are no plans to introduce SAC in Windows 10 or when upgrading from Windows 10 to Windows 11. So, we can think of Windows 10 (and Windows 10 --> 11 upgrade) as of Windows in backward compatibility mode.
By trial and error, I figured out that SRP does not work on Windows Home and Pro due to the installed SAC (even if it is set to OFF).

Post edited.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
I think that SAC is generally a good direction for home users and hybrid work. Of course, I am not objective because the SAC idea (smart-default-deny prevention) is very similar to H_C. The main difference for users is usability.
When using H_C the home administrator can whitelist or allow blocked executables. Furthermore, the restrictions can be adjusted to the needs.
When using SAC, one must fully rely on Microsoft. So, there is much to do for making SAC usable.
 
Last edited:
Top