Hard_Configurator - Windows Hardening Configurator

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
1 On Windows 11 22H2 clean install, will the settings that are on the right side of the H_C main window still work? AFAIK they are not SRP-dependent.

2 It looks like installing H_C means installing SRP along with it. I assume that as long as SRP is disabled, then there is no conflict with Windows 11 22H2 clean install?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
1 On Windows 11 22H2 clean install, will the settings that are on the right side of the H_C main window still work? AFAIK they are not SRP-dependent.

Yes.

2 It looks like installing H_C means installing SRP along with it. I assume that as long as SRP is disabled, then there is no conflict with Windows 11 22H2 clean install?

Yes.
(y)
 

Andrezj

Level 6
Nov 21, 2022
248
i tested h_c on a couple of win11 22h2 systems
1. on clean install of win11 22h2 which is then updated in virtual machine the srp dependent protections do not work
2. on a clean install of windows 11 22h2 which is then updated on a real physical system, all of h_c protections function as expected
3. on new machine with windows 11 22h2 version oem installed, all of h_c protections function as expected

i noticed on the virtual machine that sac was not disabled, but on the real physical machine sac was permanently disabled; this suggests that enabled active sac is affecting srp functionality

a reply i got from microsoft is that they are not removing srp from windows 11 22h2 or server 2022, they said look at the official microsoft removal page which does not list srp as being removed
 
Last edited:

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
i tested h_c on a couple of win11 22h2 systems
1. on clean install of win11 22h2 which is then updated in virtual machine the srp dependent protections do not work
2. on a clean install of windows 11 22h2 which is then updated on a real physical system, all of h_c protections function as expected
3. on new machine with windows 11 22h2 version oem installed, all of h_c protections function as expected

i noticed on the virtual machine that sac was not disabled, but on the real physical machine sac was permanently disabled; this suggests that enabled active sac is affecting srp functionality

a reply i got from microsoft is that they are not removing srp from windows 11 22h2 or server 2022, they said look at the official microsoft removal page which does not list srp as being removed
Good to know this info. Picking up a new Win 11 laptop next week though I won't know the installed build number until I get it.
 

Andrezj

Level 6
Nov 21, 2022
248
i tried to get those at microsoft who maintain the windows security stack documentation to document the undocumented stuff that they know about, that is discussed here like registry tweaks and ways to enable constrained language mode on home user systems without applocker or wdac
they were having no parts of it
so MalwareTips is a vital informations repo
it would be good to make a community project to take informations here and consolidate it but it would take a group effort
 

Andrezj

Level 6
Nov 21, 2022
248
Last edited:

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
551
Yesterday evening I was surprised to see the "Run as administrator" was missing from the right-click context menu and everywhere else, including from the app selection in the Search menu in my Standard user and even my Administrator accounts on Window 11, 21H2. I had no idea why and between then and this morning I must have spent a good three hours trying different things such as: breezing over the settings in H_C (this was my fatal mistake, breezing :rolleyes: ) sfc /scannow, Easy Context menu application, registry editing suggestion from Google searches, disabling and even uninstalling OSArmor, and checking Group Policy settings. Still no luck. I finally revisited H_C and selected Tools->Restore Windows Defaults and voila, I got it back! I took another look and discovered 'Hide Run As Administrator' had been set to "On" before I restored Windows Defaults :oops: I had completely forgotten that setting even exists and of course I missed it the first time I checked, and I've no idea why it was enabled, although I must have absent-mindedly enabled it recently. How embarrassing, but at least I got it back and just avoided my next step which was to restore a recent backup, which would have resolved the issue, but then I wouldn't have known how it happened in the first place :D
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yesterday evening I was surprised to see the "Run as administrator" was missing from the right-click context menu ...

I took another look and discovered 'Hide Run As Administrator' had been set to "On" before I restored Windows Defaults :oops: I had completely forgotten that setting even exists ...
That can happen. You have a complex setup OSA, H_C, etc. It is hard to remember all of these restrictions. :)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So on my 6 months old Pc that came with W11, where App control is set to Off by Windows, can not benefit to full extent H_C:s features?
If it is 6 months old then H_C should work. But, I do not recommend using H_C on Windows 11, because no one knows how it will work after the next update.
 

piquiteco

Level 14
Oct 16, 2022
626
@Andy Ful Does the Smartscreen setting of Hard_Configurator to check .EXE .MSI files leave it on for administrator or is the best option to leave it as standard user? Another question, does Hard Configurator version 6.0.1.1 have more security features compared to Hard Configurator version 5.1.1.1 Thank you! (y)
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
@Andy Ful Does the Smartscreen setting of Hard_Configurator to check .EXE .MSI files leave it on for administrator or is the best option to leave it as standard user? Another question, does Hard Configurator version 6.0.1.1 have more security features compared to Hard Configurator version 5.1.1.1 Thank you! (y)
From here: GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
"Please note: From the ver. 5.1.1.1, the Recommended Settings on Windows 8+ works differently as compared to ver. 5.0.0.0 (and prior). From the ver. 5.1.1.1, the Recommended Settings and some other predefined setting profiles use "More SRP... " - "Update Mode" = ON, which whitelists the EXE and MSI files in ProgramData and user AppData folders (other files are blocked like in ver. 5.0.0.0). If one is happy with blocking the EXE and MSI files in ProgramData and user AppData folders, then it is necessary to set "More SRP... " - "Update Mode" = OFF." It's all usually detailed in the manual.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful Does the Smartscreen setting of Hard_Configurator to check .EXE .MSI files leave it on for administrator or is the best option to leave it as standard user? Another question, does Hard Configurator version 6.0.1.1 have more security features compared to Hard Configurator version 5.1.1.1 Thank you! (y)
Can you post the screenshot of your actual H_C (main window)? If not, then simply install the latest version and set the Recommended Settings. The latest version (6.0.1.1) has got some security improvements. In most settings, Forced SmartScreen should be set to Administrator.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks. My laptop has SAC turned off and I don't plan on fresh installing Windows 11 so that means H_C will work with SRP?

I'm not using MD currently as trying out Emisoft but just curious if that was the only conflicting issue with H_C recommended settings.
You have to test it. Copy the H_C shortcut to the Downloads folder and try to run it. It should be blocked if SRP works well. You can also create any shortcut in the Downloads folder and run it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top