Hard_Configurator - Windows Hardening Configurator

normalizerx said:
Yes, I have switched them off on purpose, now the context menu is OK and showing.
Click to expand...

Switch ON the restrictions, but do not restart Windows. Is the context menu showing?
If not, please use <Tools> <Blocked Events / Security Logs> to generate the Log. Save the Log in the file and send it as an attachment to the hardconfigurator@gmail.com
 
  • Like
  • +Reputation
Reactions: rashmi, Dave Russo, simmerskool and 1 other person
normalizerx said:
Yes, if I switch on the restrictions, the context menu is still there, but if I sign out or restart, they disappear.
Click to expand...
It probably means that H_C blocks something just after the Windows restart.
You have to look at the Log and seek events time-correlated with the sign-in.
 
  • Like
  • +Reputation
Reactions: Brownie2019, rashmi, Dave Russo and 2 others
normalizerx said:
I think so, yes, but still nothimg in the log time-correlated with this, strange. I checked again.
Click to expand...

You can remove the restriction for AppInstaller. ESET uses it for the context menu, but it is not signed by Microsoft (and blocked).

1765366248081.png


You can also set <Block AppIstaller> to ON2. In this setting, ESET's context menu should work in Explorer, but installing some apps from Microsoft Store will be restricted. The apps installed with GET method will be allowed (true Metro apps), but those with INSTALL method will be blocked.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, rashmi, Gandalf_The_Grey and 1 other person
normalizerx said:
Thank you very much for your time and help, disabling Block AppIstaller resolved the issue. I hope disabling it is not too much of a security risk.
Click to expand...
The ON2 setting is slightly safer if you can accept some restrictions in Microsoft Store.
I am not sure if ESET's Live Guard can check the reputation of APPX or MSIX packages.
 
  • Like
  • +Reputation
Reactions: simmerskool, rashmi, Gandalf_The_Grey and 1 other person
Hi Andy, I'm unable to run gpupdate /force after I installed Hard_Configurator ver 7.0.1.1. Turned off SRP temporarily will fix the problem. I play around with group policy a lot, is there a way to run gpupdate without having to turn off SRP when I make any group policy changes?
 
  • Like
Reactions: Parkinsond
ByteSentinel said:
Hi Andy, I'm unable to run gpupdate /force after I installed Hard_Configurator ver 7.0.1.1. Turned off SRP temporarily will fix the problem. I play around with group policy a lot, is there a way to run gpupdate without having to turn off SRP when I make any group policy changes?
Click to expand...

It is intentional. I explained this in the H_C manual. (y)

1767130885025.png


Edit.
The attachment is slightly corrected (the original info from the manual included a note about WHHLight instead of H_C).
 
Last edited:
  • +Reputation
  • Hundred Points
  • Like
Reactions: oldschool, simmerskool, ByteSentinel and 1 other person
Parkinsond said:
Does enabling SRP disable all GP rules?
View attachment 294125
Click to expand...

Enabling SRP in H_C changes the rules in the Windows Registry related to SRP and AppInstaller. However, the rules are not removed from GPO. The GPO rules can be restored in the Windows Registry after refreshing GPO. This can cause problems, so the conflicting rules should be removed from GPO.
 
  • +Reputation
  • Thanks
Reactions: simmerskool and Parkinsond
Andy Ful said:
Enabling SRP in H_C changes the rules in the Windows Registry related to SRP and AppInstaller. However, the rules are not removed from GPO. The GPO rules can be restored after refreshing GPO. This can cause problems, so the conflicting rules should be removed from GPO.
Click to expand...
So the telemetry rule is still working with SRP on.
 
Parkinsond said:
So the telemetry rule is still working with SRP on.
Click to expand...

The GPO settings related to telemetry are not changed by enabling SRP in H_C. However, some telemetry can be blocked when blocking LOLBins (via SRP or FrewallHardening).
 
  • Like
  • +Reputation
Reactions: wayner.d, Zero Knowledge, simmerskool and 1 other person
Hello,





In my case, I have H_C, which is really lightweight and doesn't interfere too much with Windows. WD's anti-ransomware is disabled... And I also have Safing Portmaster...



I use LOLBins in FirewallHardening and basic settings in ConfigureDefender...

I don't want an aggressive security policy.

I'm running Win 11 Home.



Is WHHLight more advisable?

I get the impression that H_C is more comprehensive. Is that the case?





Thank you!
 

Attachments

  • explorer_8qIy3MtOCA.png
    explorer_8qIy3MtOCA.png
    210.6 KB · Views: 57
  • explorer_Ev9lBhBLnz.png
    explorer_Ev9lBhBLnz.png
    10 KB · Views: 56
  • Hard_Configurator(x64)_ujN0zBdivc.png
    Hard_Configurator(x64)_ujN0zBdivc.png
    10.4 KB · Views: 56
  • Like
Reactions: simmerskool, wayner.d and Andy Ful
pytroman86 said:
Is WHHLight more advisable?
Click to expand...

You have applied a very basic custom setup.
PowerShell is protected only via Constrained Language and FirewallHardening.
The EXE/MSI applications are protected by SmartScreen.
In such a basic setup, there is no difference if you use H_C or WHHLight.

pytroman86 said:
I get the impression that H_C is more comprehensive. Is that the case?
Click to expand...

H_C has more tweaks possible, like for example blocking LOLBins.
Both H_C and WHHLight are comprehensive solutions.
In more restrictive settings, H_C is highly preventive to avoid running malicious DLLs (it prevents but does not block DLLs).
WHHLight in more restrictive settings is less preventive but can also block DLLs.
The choice depends on the user.
 
  • Like
  • +Reputation
Reactions: simmerskool, pytroman86 and wayner.d
Andy Ful said:
You have applied a very basic custom setup.
PowerShell is protected only via Constrained Language and FirewallHardening.
The EXE/MSI applications are protected by SmartScreen.
In such a basic setup, there is no difference if you use H_C or WHHLight.



H_C has more tweaks possible, like for example blocking LOLBins.
Both H_C and WHHLight are comprehensive solutions.
In more restrictive settings, H_C is highly preventive to avoid running malicious DLLs (it prevents but does not block DLLs).
WHHLight in more restrictive settings is less preventive but can also block DLLs.
The choice depends on the user.
Click to expand...
Thank you. How can I configure H_C without disrupting the use of Windows too much?
 
  • Like
Reactions: Andy Ful
pytroman86 said:
Thank you. How can I configure H_C without disrupting the use of Windows too much?
Click to expand...

Why did you set <Block PowerShell Scripts> = OFF and <Forced SmartScreen> = OFF ?
What do you mean by ConfigureDefender basic settings?
Do you use MS Office (installed in the system)?
 
  • Like
  • +Reputation
Reactions: Zero Knowledge, simmerskool and pytroman86
like this :
 

Attachments

  • ConfigureDefender_x64_4bwwujDXMG.png
    ConfigureDefender_x64_4bwwujDXMG.png
    25.2 KB · Views: 58
  • ConfigureDefender_x64_CrosmX3gv8.png
    ConfigureDefender_x64_CrosmX3gv8.png
    16.2 KB · Views: 48
  • ConfigureDefender_x64_KkFJlTVoVp.png
    ConfigureDefender_x64_KkFJlTVoVp.png
    16.5 KB · Views: 56
  • Like
Reactions: Andy Ful

You may also like...