Hard_Configurator - Windows Hardening Configurator

[rashmi]

H_C, CD, and FH default or recommended settings. Windows 11 Pro.

I plan to enable the "Block all incoming connections, including those in the list of allowed apps" Windows Firewall setting on our kids' systems. Would it affect your tools in any way?

 

[Andy Ful]

H_C, CD, and FH default or recommended settings. Windows 11 Pro.

I plan to enable the "Block all incoming connections, including those in the list of allowed apps" Windows Firewall setting on our kids' systems. Would it affect your tools in any way?

No.

 

[rashmi]

No.

I'm testing the stated setting on my system. I've been noticing these entries in "Advanced SRP Logging" since I enabled the setting, but I think they're okay.

@@@@@@ USER SPACE PATHS:

wininit.exe (PID = 800) identified fontdrvhost.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
winlogon.exe (PID = 900) identified dwm.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
svchost.exe (PID = 1904) identified ctfmon.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

@@@@@@ SCRIPTS:

powershell.exe (PID = 3788) identified C:\Users\rashmi\AppData\Local\Temp\__PSScriptPolicyTest_luynrkoi.3yk.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 3788) identified C:\Users\rashmi\AppData\Local\Temp\__PSScriptPolicyTest_h4pdlv0w.ksq.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
powershell.exe (PID = 4088) identified C:\Users\rashmi\AppData\Local\Temp\__PSScriptPolicyTest_10pmfiya.s04.ps1 as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

Advanced SRP Logging has "filtered" and "all" options. Why not a blocked option? It would be easy to check for blocked ones, or am I missing something?

I mentioned this issue previously. The FH "Blocked Events" is not working; it shows a "Please wait! It will take some time" message. The message disappears, and the log doesn't appear. The "Firewall.log" in the H_C folder opens fine. Does "Blocked Events" require the legacy Notepad? I removed the legacy Notepad from the optional features. What should I check for the issue?

 

[Andy Ful]

Advanced SRP Logging has "filtered" and "all" options. Why not a blocked option? It would be easy to check for blocked ones, or am I missing something?

Advanced SRP Logging shows which allow/block rules are applied when the executable is run with admin rights.
I use it rarely to see which block rules will be applied if the executable is going to be run with standard rights. There is some advantage, because one executable can trigger more than one block rule at different moments of running.

I mentioned this issue previously. The FH "Blocked Events" is not working; it shows a "Please wait! It will take some time" message. The message disappears, and the log doesn't appear. The "Firewall.log" in the H_C folder opens fine. Does "Blocked Events" require the legacy Notepad? I removed the legacy Notepad from the optional features. What should I check for the issue?

Hard_Configurator runs Notepad by using the command:
@SystemDir & "\notepad.exe " & $ProgramFolder & '\Firewall.log'
This is usually translated to:
C:\Windows\notepad.exe "C:\Windows\Hard_Configurator\Firewall.log"
On Windows 11 the Notepad from Windows folder opens the Notepad located in WindowsApps:

Hard_Configurator(x64).exe (PID = 2784) identified C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2504.62.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe as Unrestricted using path rule, Guid = {6d809377-6af0-444b-8957-a3773f02200e}
Notepad.exe (PID = 11884) identified C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2504.62.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe as Unrestricted using path rule, Guid = {6d809377-6af0-444b-8957-a3773f02200e}

Do you have notepad.exe in Windows folder?

 

[Andy Ful]

@rashmi,

If I turn off the default Notepad, Windows starts using the legacy Notepad:

The Legacy Notepad:

The default Notepad in Windows 11:

 

[rashmi]

Advanced SRP Logging shows which allow/block rules are applied when the executable is run with admin rights.
I use it rarely to see which block rules will be applied if the executable is going to be run with standard rights. There is some advantage, because one executable can trigger more than one block rule at different moments of running.

The "All" log option has many entries, so having a separate "Blocked" log would allow users to see only the blocked entries, making it simpler, if feasible.

Do you have notepad.exe in Windows folder?

The code you posted is there in the logs, but I don't have notepad.exe in the Windows folder.

 

[Andy Ful]

The "All" log option has many entries, so having a separate "Blocked" log would allow users to see only the blocked entries, making it simpler, if feasible.

There are no blocked events in the SystemSpace, but only in UserSpace. The blocks from UserSpace are included in the Filtered log.

The code you posted is there in the logs, but I don't have notepad.exe in the Windows folder.

That is why the FirewallHardening log does not open automatically.

 

[Andy Ful]

Hard_Configurator runs Notepad by using the command:
@SystemDir & "\notepad.exe " & $ProgramFolder & '\Firewall.log'
This is usually translated to:
C:\Windows\notepad.exe "C:\Windows\Hard_Configurator\Firewall.log"
On Windows 11 the Notepad from Windows folder opens the Notepad located in WindowsApps:

More precisely, the command: @SystemDir & "\notepad.exe " & $ProgramFolder & '\Firewall.log' is used by FirewallHardening integrated with Hard_Configurator. It requires notepad.exe in the Windows folder. On Windows 11 default settings, Microsoft uses notepad.exe in the Windows folder as a proxy to Notepad in WindowsApps.

 

[Andy Ful]

It is possible that opening LOG files directly by Notepad is not the best method. They can also be opened via Windows Explorer, which could solve the problem of non-existent notepad.exe.

 

[rashmi]

That is why the FirewallHardening log does not open automatically.

I re-added classic Notepad via optional features. Notepad is present in the Windows folder. Now, the FH log shows a "blocked events for the current blocklist not found" window.

 

[Andy Ful]

I re-added classic Notepad via optional features. Notepad is present in the Windows folder. Now, the FH log shows a "blocked events for the current blocklist not found" window.

Now it is OK. If you want to see something in the Log, try running bitsadmin.exe . You should see the alert.

The blocks will be logged:

 

[rashmi]

@Andy Ful, The H_C interface is quite different now, with more features. How about updating the second post with the present screens?

 

[Andy Ful]

@Andy Ful, The H_C interface is quite different now, with more features. How about updating the second post with the present screens?

Updated.

 

[rashmi]

Updated.

I'm using GUI Skin 2, as it resembles the ConfigureDefender and FirewallHardening interfaces. There are 16 skins available, some with a light grey color, but none with a dark theme! I wish the GUI Skin 2 and CD/FH had a dark theme!

 

[Andy Ful]

I'm using GUI Skin 2, as it resembles the ConfigureDefender and FirewallHardening interfaces. There are 16 skins available, some with a light grey color, but none with a dark theme! I wish the GUI Skin 2 and CD/FH had a dark theme!

For unknown reasons, I hate dark themes.

 

[rashmi]

For unknown reasons, I hate dark themes.

Hate... the dark mode of emotions!

 

[rashmi]

@Andy Ful, I removed the H_C entries from the Windows Start Menu but kept the folder on our kids' machine. I understand it shouldn't be a problem, but I just want to make sure.

 

[Andy Ful]

@Andy Ful, I removed the H_C entries from the Windows Start Menu but kept the folder on our kids' machine. I understand it shouldn't be a problem, but I just want to make sure.

It is recommended to remove the shortcuts from the Start Menu and the Desktop on the kids' machines.

 

[rashmi]

@Andy Ful, H_C has OS-based configs. I believe it applies the "Windows_11_SAC_ON_Recommended_Settings" config on Windows 11 machines. Why not have an H_C config with WDAC, at least for Windows 11?

Is it correct that WDAC could also block programs (in the reputation database) or executables at a later stage, such as when accessing a program, etc.?

 

[Andy Ful]

@Andy Ful, H_C has OS-based configs. I believe it applies the "Windows_11_SAC_ON_Recommended_Settings" config on Windows 11 machines. Why not have an H_C config with WDAC, at least for Windows 11?

The version with WDAC is WHHLight (subproject of H_C).

Is it correct that WDAC could also block programs (in the reputation database) or executables at a later stage, such as when accessing a program, etc.?

Such blocking is possible both with H_C and WDAC, although the first is more preventive. Of course, the blocking level depends on the settings.