Hard_Configurator - Windows Hardening Configurator

Andy Ful said:
You have to test it. Copy the H_C shortcut to the Downloads folder and try to run it. It should be blocked if SRP works well. You can also create any shortcut in the Downloads folder and run it.
Click to expand...
Thanks. It works on my machine :D I suppose we'll have to see what happens with next big Win 11 update but good to see it's working ;)

1673568895411.png
 
  • Like
Reactions: mkoundo, Andy Ful, Moonhorse and 3 others
I am glad Software Restriction Policies still work on Windows 11 devices which have Smart Application Control disabled. First it felt like being excluded from a new feature, now I am thankful for still having this Windows XP feature on my wife's laptop. I find H_C easier to use than secpol.msc, so thanks for your great tools (y)
 
  • Like
Reactions: cryogent, Andy Ful, vtqhtr413 and 2 others
My wife's HP laptop came with Windows11. I bought it online and with free update service (bios, drivers etc) and doa check. The update service did not mention updating Windows. The laptop had Windows 11 installed and executed first run settings initialization procedure (so I assumed it came with clean installed Windows11). It now runs 22H2 with SAC switched off and SRP is fully functional.
 
Last edited by a moderator:
  • Like
Reactions: vtqhtr413, oldschool, simmerskool and 1 other person
SRP seems dysfunctional on Windows 11 due to SAC, although there is no official note from Microsoft. SAC works on the systems in Europe and North America. Some people reported that it did not work after updating Windows 11 to ver. 22H2 (from previous Windows 11 versions) and some reported that SRP still works.
The problem is that Microsoft is silent about this issue, so there can be some surprises in the future.
 
  • Like
  • Wow
Reactions: vtqhtr413, oldschool, simmerskool and 3 others
Andy Ful said:
SRP seems dysfunctional on Windows 11 due to SAC, although there is no official note from Microsoft. SAC works on the systems in Europe and North America. Some people reported that it did not work after updating Windows 11 to ver. 22H2 (from previous Windows 11 versions) and some reported that SRP still works.
The problem is that Microsoft is silent about this issue, so there can be some surprises in the future.
Click to expand...

Hi Andy

I use NTLite, which i think you are familiar with, to remove items from my Os, if i remove SAC, would H_C or SWH function ok?
 
  • Like
Reactions: vtqhtr413 and [correlate]
pxxb1 said:
Hi Andy

I use NTLite, which i think you are familiar with, to remove items from my Os, if i remove SAC, would H_C or SWH function ok?
Click to expand...
If the system is based on Windows 11 22H2 and the region (Europe, North America) is supported, then probably not. :(
 
  • Like
Reactions: vtqhtr413, simmerskool and [correlate]
Andy Ful said:
If the system is based on Windows 11 22H2 and the region (Europe, North America) is supported, then probably not. :(
Click to expand...

Forgot to mention that, yes W11 22H2. Probably not you say, that you have to clarify because i can not see, do not understand why not.
 
  • Like
Reactions: vtqhtr413
pxxb1 said:
Forgot to mention that, yes W11 22H2. Probably not you say, that you have to clarify because i can not see, do not understand why not.
Click to expand...
The information about the source of the issue is insufficient. I doubt if it is possible to remove SAC and all dependencies with the help of NTLite, so most probably SRP will not work. Anyway, I will not insist that I am right, because I did not test it. (y)
 
  • Like
Reactions: vtqhtr413, oldschool and simmerskool
Andy Ful said:
The information about the source of the issue is insufficient. I doubt if it is possible to remove SAC and all dependencies with the help of NTLite, so most probably SRP will not work. Anyway, I will not insist that I am right, because I did not test it. (y)
Click to expand...
Yeah, you are right. The issue is surrounded by a lot of uncertainties.
 
  • Like
Reactions: vtqhtr413 and Andy Ful
I read a blog where someone was able to solve the problem. After deleting the keys SRP should work again. Can anyone confirm this?
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000002
"LastWriteTime"=hex(b):01,00,00,00,00,00,00,00
Click to expand...

borncity.com

Software Restriction Policies (SAFER) still possible under Windows 11 22H2 …

[German]We was told, that Software Restriction Policies and SAFER no longer work out-of-the-box under Windows 11 22H2. This is caused by registry entries left in the ISO images, that make Windows 11…
borncity.com borncity.com


Here you can also read that there is a bypass in SRP and how to close it.
The bypass nonsensically allows restricted users to create subdirectories in %SystemDrive%.
A Demonstration and how to prevent.

Prevent Bypass of AppLocker and SAFER alias Software Restriction Policies

skanthak.homepage.t-online.de skanthak.homepage.t-online.de
 
Last edited:
  • Like
Reactions: vtqhtr413 and Gandalf_The_Grey
Griz said:
I read a blog where someone was able to solve the problem. After deleting the keys SRP should work again. Can anyone confirm this?


borncity.com

Software Restriction Policies (SAFER) still possible under Windows 11 22H2 …

[German]We was told, that Software Restriction Policies and SAFER no longer work out-of-the-box under Windows 11 22H2. This is caused by registry entries left in the ISO images, that make Windows 11…
borncity.com borncity.com


Here you can also read that there is a bypass in SRP and how to close it.
The bypass nonsensically allows restricted users to create subdirectories in %SystemDrive%.
A Demonstration and how to prevent.

Prevent Bypass of AppLocker and SAFER alias Software Restriction Policies

skanthak.homepage.t-online.de skanthak.homepage.t-online.de
Click to expand...
After some trial and error, I found out that the Kanthak correction can be simplified by the tweak:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Srp\Gp]
"RuleCount"=dword:00000000

Simply, one has to correct the invalid number of Applocker rules under this key (there are no rules at all). This value will not change, because SAC uses WDAC policies to control AppLocker, so no policies are added under this key.
This tweak works well with SAC, also if it is turned ON.
Click to expand...
Discussed here:
malwaretips.com

Windows 11 22H2 no longer supports Software Restriction Policies (SRP)

A brief note to Windows administrators who still rely on Software Restriction Policies (SRP). This security feature has been deprecated since 2020, but is still supported in Windows 10. But Windows 11 version 22H2 will definitely put an end to the use of Software Restriction Policies –...
malwaretips.com malwaretips.com
@Andy Ful Do you have plans to update the first post an your GitHub page with this info?
 
Last edited:
  • Like
Reactions: vtqhtr413, Mercenary, simmerskool and 1 other person
Last edited:
  • Like
Reactions: vtqhtr413, simmerskool, Andy Ful and 1 other person

You may also like...