Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

The TROUBLESHOOTING manual section has been updated. It contains info how to use Autoruns, Windows Event Log, and SRP logging to identify problems with running programs. That info may be useful for anyone, so I put it in this post.


TROUBLESHOOTING


Please read this paragraph carefully, because it can be helpful when in trouble, after installing any security software.

1. Check if you have operational bootable media to access a Command Prompt, in the case when the system hangs or is unbootable.
2. Some computers can have problems with a bootable media or recovery partition after upgrading the system (especially to Windows 10).
3. Before installing any security program, make the system restore point.
4. Sometimes system becomes unbootable from another cause. It is recommended to unplug all external devices (pendrives, USB disks, printers, headphones, USB DVD, etc.) and restart the system.
5. Having a bootable media, gives you access to Command Prompt. And then, using Regedit or Sysinternals Autoruns, the Registry can be loaded for offline editing. From Autoruns you can disable some autostart entries that may cause problems.

Hard_Configurator troubleshooting.

1. If the system hangs after reboot, then it can be a sign, that SRP or one of program restrictions has blocked something important from loading at the boot time.
2. The simplest method to solve this problem is using one of system restore points.
3. Another solution is using bootable media to access a Command Prompt, and then editing the Registry offline. In most cases the problem would be with SRP, so one must edit the key:
   HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel change hexagonal value to 40000
4. If the above did not help, then it is possible to edit or remove any registry changes made by Hard_Configurator. The Registry keys altered by the program are enumerated in this manual at the end of each paragraph.

Using Sysinternals Autoruns.

Some processes can be loaded at the boot time from the User Space (= outside ‘Windows’, ‘Program Files’, ‘Program Files (x86)’ ). They should be whitelisted by path in SRP to load properly. Autoruns allows to find the paths of those processes. It is very useful because stopping something important from loading at the boot time may hang the system (see the picture attached to this post).

We can see that OneDrive is starting from the User Space at the boot time.

SRP Event Log.

When an SRP rule is applied, it can be seen in the application event log. The event ID between 865 and 868 shows the details of the process that triggered the SRP rule. It is good to look at it to see if the SRP restrictions block something important. The information about events are very short, but sufficient in most cases to identify the problem.
There is also a nice NirSoft tool FullEventLogView, that can be used for quick event checking.


Verbose trace logging of SRP.

If someone would like enhanced logging of running processes, then the following registry setting must be added:


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers]
"LogFileName"="c:\\Windows\\Hard_Configurator\\SRP_events.log"

LogFileName is a REG_SZ type. SRP will put more info about running processes to the file ‘SRP_events.log’. This can be used to identify the problems with blocked application, too. Simply, run the blocked application with "Run As Administrator" or "Run As SmartScreen", and then look at the last entry in the log.

For example, when ‘dllexplorer_setup.exe’ is run with "Run As SmartScreen", then the entries in the log will look like:

"RunAsSmartscreen(x64).exe (PID = 2100) identified C:\Windows\Hard_Configurator\dllexplorer_setup.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
dllexplorer_setup.exe (PID = 5236) identified C:\Users\Admin\AppData\Local\Temp\is-PPQV9.tmp\dllexplorer_setup.tmp as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}"

So, we know that dllexplorer_setup.exe is using dllexplorer_setup.tmp to execute in temporary folder ‘C:\Users\USERNAME\AppData\Local\Temp\is-ASDAD.tmp\’.
Now, dllexplorer_setup.tmp can be whitelisted, and the problem is solved.

 

[Andy Ful]

I tested Hard_Configurator on NordVision 10" netbook with Windows 10 Pro, 31GB flash disk VID:88 NCard (NTFS). No problems. System updates normally.

 

[Andy Ful]

Fresh installed Windows 7 tested with Hard_Configurator (All SRP + All Restrictions turned ON except "Hide 'Run As Administrator'", because "Run As SmartScreen" is not supported in Windows 7).
After 223 updates, I checked Event Log. One update was stopped by SRP in the User Space:
C:\Users\UserName\AppData\Local\NVIDIA\NvBackend\Packages\000063ef\DRS update.18761999.exe
So, I Installed this update manually with "Run As Administrator".
It seems that blocking 'C:\Windows' writable subfolders has no negative impact to Windows Updates in Windows 7 OS. Anyway, it is good to look sometimes into the Event Log to check if SRP did not block something.
Now, I'm going to test Windows 10.

Remark.
Updating fresh Windows 7 is rather a painful task, because of "Windows Update is taking an unusually long time to scan and install updates" problem. The recommended procedure is:
1. Turn off Windows Updates.
2. Install manually Internet Explorer 11.
3. Install manually KB3020369 and KB3172605 (https://support.microsoft.com/en-us/kb/3200747).
4. Turn On Automatic Windows Updates.
5. Install Windows Updates in two or more parts, because of 'out of memory' problem.

 

[Windows_Security]

Hard_Configurator makes changes in Windows Registry to accomplish tasks enumerated below:

7. Disabling/Signed/Enabling PowerShell script execution (Windows 7+).

9. Disabling/Signed/Enabling Windows Script Host.

Andy, great work, bravo

Maybe a suggestion to add 'Signed' as option to both windows scripts and powerscripts?

Signed scripts
Signature Verification Policy
Microsoft Windows 2000 Scripting Guide - Enforcing the Use of Signed Scripts

AllSigned execution policy of PowerScript
Change Execution Policy in the Registry

Please add 16 bits hardening in this section for 32 bits systems
Prevent access to 16-bit applications | Windows security encyclopedia

 

[Zero Knowledge]

Nice tool.

I would like to see a safe group policy security settings part of your software.

 

[Windows_Security]

Hard_Configurator makes changes in Windows Registry to accomplish tasks enumerated below:

8. Restricting shortcut execution to some folders only.

This program was created for advanced users to secure inexperienced users.

Andy, I applaud this initiative.

Enable/disable SafeSearchDLL
Dynamic-Link Library Search Order (Windows)
Safe DLL Search Mode Enabled - oval:gov.nist.3:def:122

Apply Secure Shell extensions only
Enforce Shell Extension Security at Registry Guide for Windows
Only allow approved Shell extensions

 

[Windows_Security]

Hard_Configurator makes changes in Windows Registry to accomplish tasks enumerated below:

12.Disabling/Enabling Remote Assistance (Windows Vista+).

This program was created for advanced users to secure inexperienced users.

Andy my last additional request (which I added manualy before you made this great tool)

Remote SHELL access:
See https://social.technet.microsoft.co...e-remote-shell-on-Windows 7?forum=winserverGP
Disabled = 0

Remote REGISTRY access
Windows 7 - Disable Remote Registry Access (disable service)

Can't repeat it enough: great job

 

[cryogent]

Hello, I tested Hard_Configurator on a Windows7 virtual machine with Crystal Security but manually scan of a file does not work.
I tried to exclude the temp file by path or hash but Crystal Security generates every time another temp file name.
My mistake, the temp file is not related to Crystal Security.
In this case. what can I do?

 

[Andy Ful]

Andy my last additional request (which I added manualy before you made this great tool)

Remote SHELL access:
See https://social.technet.microsoft.co...e-remote-shell-on-Windows 7?forum=winserverGP
Disabled = 0

Remote REGISTRY access
Windows 7 - Disable Remote Registry Access (disable service)

Can't repeat it enough: great job

Thanks for your support and kind words. I am testing now the new version of Hard_Configurator with two important options:
1. Automatic searching of User Space autoruns (filtering the output of Sysinternals Autorunsc command line tool https://download.sysinternals.com/files/Autoruns.zip).
2. Finding the SRP events in the Windows EventLog to see which EXE and MSI files were blocked by SRP (based on Nirsoft FullEventLogView).
After I finish this, I carefully rethink your suggestions. Some things you have been mentioned are new to me.

 

[Andy Ful]

Hello, I tested Hard_Configurator on a Windows7 virtual machine with Crystal Security but manually scan of a file does not work.
I tried to exclude the temp file by path or hash but Crystal Security generates every time another temp file name.
My mistake, the temp file is not related to Crystal Security.
In this case. what can I do?

You can look in the Windows Event Log (events 685, 686, 687, 688) to see if SRP has blocked any Crystal Security process. Probably, Crystal Security manual scanner is run with Medium Integrity Level, and when you try to scan the file in the User Space , the SRP blocks access to this file. If so, you must create and then whitelist by path a special folder for manual file scanning. PLease, post here if this helped (or not).

 

[Andy Ful]

Nice tool.

I would like to see a safe group policy security settings part of your software.

Do you think of transferring the SRP registry settings to Group Policy settings? I read about a tool SRP2LGPO.EXE that can do this:
Stop mal(icious soft)ware with Software Restriction Policies
The above homepage contains very interesting informations about SRP, and activating SRP through the INF file.

By the way, Windows Local Security Policy periodically refresh the Registry, and can wipe out some of the Hard_Configurator settings. So, it is not good to use both Hard_Configurator and Local Security Policy to configure SRP.

 

[Andy Ful]

You can look in the Windows Event Log (events 685, 686, 687, 688) to see if SRP has blocked any Crystal Security process. Probably, Crystal Security manual scanner is run with Medium Integrity Level, and when you try to scan the file in the User Space , the SRP blocks access to this file. If so, you must create and then whitelist by path a special folder for manual file scanning. PLease, post here if this helped (or not).

Crystal Security in default settings starts manual scanner with Administrative Rights. But, SRP denies execution of :
C:\Users\UserName\AppData\Roaming\Crystal Security\3.5\Shell Integration.exe
so this file must be whitelisted. Tested on my computer.
By the way, @Kardo-Kristal worked hard to make his program both useful and smart.

 

[AtlBo]

(based on Nirsoft FullEventLogView).

Been looking for something like this. Thanks.

 

[Andy Ful]

Been looking for something like this. Thanks.

I found more info about events to control blocking by SRP, disabling Windows Script Host and PowerShell:

SRP related
provider: Microsoft-Windows-SoftwareRestrictionPolicies
865 - policy level
866 - path rule
867 - certificate rule
868 - hash or zone rule
882 - other

1007 provider: MsiInstaller
1008 provider: MsiInstaller

Non SRP related
1000 provider: Windows Script Host , only when scripts were run with Administrative Rights
4100 provider: Microsoft-Windows-PowerShell

The above settings are included in the attachment file (FullEventLogView.txt). This is FullEventLogView config file with extension changed to TXT.

 

[AtlBo]

Really great idea. Over the years, I have noticed how Windows records blocks as errors. Example, turned off data collection for Windows, and Windows reports error 2 "Kernel Logger failed to start" etc. I'll try the config you posted.

I have been seeing some errors that appear this way:

Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\iseguard64.dll because the set of per-page image hashes could not be found on the system.

Just want to get rid of them if I can. iseguard64.dll is a Comodo FW file, but when I researched it across Google I saw error can be associated with various .dlls. Ever run into one of these? Don't want to sidetrack the thread. This and some other errors are why I was happy to find FELV in your thread. Event Viewer is clumsy in comparison for anything serious.

I want to become knowledgeable enough to try Hard_Configurator. I don't think I'm ready now though. I'll keep following the developments.

 

[Andy Ful]

Really great idea. Over the years, I have noticed how Windows records blocks as errors. Example, turned off data collection for Windows, and Windows reports error 2 "Kernel Logger failed to start" etc. I'll try the config you posted.

I have been seeing some errors that appear this way:



Just want to get rid of them if I can. iseguard64.dll is a Comodo FW file, but when I researched it across Google I saw error can be associated with various .dlls. Ever run into one of these? Don't want to sidetrack the thread. This and some other errors are why I was happy to find FELV in your thread. Event Viewer is clumsy in comparison for anything serious.

I want to become knowledgeable enough to try Hard_Configurator. I don't think I'm ready now though. I'll keep following the developments.

I think that the problem with iseguard64.dll is similar to the problem with a2hooks64.dll from Emsisoft Antimalware. See Fabian Wosar answer:
Code Integrity is unable to verify the image integrity of the file a2hooks64.dll because the set of per-page image hashes could not be found on the sy

 

[Andy Ful]

I want to become knowledgeable enough to try Hard_Configurator. I don't think I'm ready now though. I'll keep following the developments.

If you like CF, then you do not need Hard_Configurator.
The config file FullEventLogView.txt may be useful only when using Software Restriction Policies.

 

[Andy Ful]

Fresh installed Windows 10 Pro 64Bit tested with Hard_Configurator (All SRP + All Restrictions turned ON).

The system successfully upgraded to version 1607. All updates (except one) were installed without problems.
One update was stopped by SRP in the User Space (Graphic Card update):
C:\Users\UserName\AppData\Local\NVIDIA\NvBackend\Packages\000063ef\DRS update.18761999.exe
Four autoruns were blocked (Windows OneDrive):
c:\users\UserName\appdata\local\microsoft\onedrive\17.3.6517.0809\onedrivestandaloneupdater.exe
c:\users\UserName\appdata\local\microsoft\onedrive\17.3.6517.0809\FileSyncConfig.exe
c:\users\UserName\appdata\local\microsoft\onedrive\17.3.6517.0809\OneDriveSetup
c:\users\UserName\appdata\local\microsoft\onedrive\onedrive.exe
Nothing has been blocked in hardened 'Windows' subfolders (SRP deny execution in writable subfolders). All System Scheduled Tasks work normally, with some exceptions.
There are some PowerShell scripts in the folder 'c:\Windows\diagnostics\scheduled\Maintenance\' that can be used by scheduled tasks.

Windows 7:
CL_Utility.ps1 , RS_AdminDiagnosticHistory.ps1, RS_MachineWERQueue.ps1, RS_RemoveUnusedDesktopIcons.ps1
RS_UserDiagnosticHistory.ps1, RS_UserWERQueue.ps1, TS_BrokenShortcuts.ps1, TS_DiagnosticHistory.ps1,
TS_InaccurateSystemTime.ps1, TS_UnusedDesktopIcons.ps1, TS_VolumeErrors.ps1, TS_WERQueue.ps1

Windows 10 Pro:
CL_Utility.ps1 , RS_AdminDiagnosticHistory.ps1, RS_MachineWERQueue.ps1,
RS_UserDiagnosticHistory.ps1, RS_UserWERQueue.ps1, TS_DiagnosticHistory.ps1,
TS_InaccurateSystemTime.ps1, TS_VolumeErrors.ps1, TS_WERQueue.ps1

For example sdiagnhost.exe can often trigger troubleshooter scripts TS_WERQueue.ps1, TS_DiagnosticHistory.ps1, and the library of functions CL_Utility.ps1 . They are not needed in the healthy system, and Diagnosis-Scheduled task can work without them. The NetTrace GatherNetworkInfo task also uses the script gatherNetworkInfo.vbs .
Those scripts are not required in healthy system but may be useful when something will go wrong. So, it's reasonable to let them go from time to time.

 

[Andy Ful]

Advanced SRP logging (Verbose trace logging of SRP).

Windows Event Log is useful when EXE, MSI, and (or) script files are blocked, but sometimes the information about DLLs blocked by SRP is required. So, we can activate Verbose trace logging of SRP by changing the Registry:

HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers
LogFileName
Value REG_SZ
c:\Log_Path\SRP.log

Now, the info about all processes, that were run with Administrative Rigthts, is written to the file SRP.log. This can be used to identify the problems with blocked DLLs, when ‘SRP Transparent Enabled’ is set to ‘Include DLLs’. You have to run the blocked application with "Run As Administrator" or "Run As SmartScreen" (bypassing SRP), and then look which User Space DLLs are in the log.
For example, if ‘EagleGet Downloader’ is "Run As Administrator" the log shows the below User Space entries:

EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\util.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\CrashRpt.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\libcurl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\sqlite3.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\zlib.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\SSLEAY32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\LIBEAY32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\ssl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\sslQuery.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\dl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EagleGet.exe (PID = 4704) identified D:\Portable\EagleGet_\EGMonitor.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\util.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\sqlite3.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\dl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
(I removed numerous entries related to DLLs from C:\Windows\System32 folder).

All the above DLLs and the file EGMonitor.exe must be whitelisted too.
(If you are lazy, then D:\Portable\EagleGet_\*.dll wildcard path entry will be sufficient).

Another example, when NoVirusThanks ‘dllexplorer_setup.exe’ is "Run As SmartScreen", then the User Space entries in the log will look like:

dllexplorer_setup.exe (PID = 5236) identified C:\Users\Admin\AppData\Local\Temp\is-PPQV9.tmp\dllexplorer_setup.tmp as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}"

So, we know that dllexplorer_setup.exe is using dllexplorer_setup.tmp to execute in temporary folder ‘C:\Users\USERNAME\AppData\Local\Temp\is-ASDAD.tmp\’.
Now, dllexplorer_setup.tmp can be whitelisted, and the program can be run normally, without using Administrative Rights.

The original SRP.log has numerous entries related to DLLs from C:\Windows\System32 and other System Space locations, so it's not easy to find a few entries from User Space. In the new Hard_Configurator version, I will add the option to filter from this log only scripts and User Space DLLs.

 

[Andy Ful]

It looks more complicated than it really is.