Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Softpedia reacted almost immediately to my email. Now, the Hard_Configurator homepage is OK:

1684934439556.png
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
Just checking logs after a week of H_C Beta3. Getting the following block on Win11

Access to C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.10173.0_x64__8wekyb3d8bbwe\WindowsPackageManagerServer.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3300} placed on path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*.



1685653133938.png

Not really tested the previous betas so not sure if same block on those.
Anyway, best way to whitelist this? Seems to be a legitimate Microsoft Installer.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,237
Attempted Path = C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.10173.0_x64__8wekyb3d8bbwe\WindowsPackageManagerServer.exe
SRP Rule GUID = {1016bbe0-a716-428b-822e-5e544b6a3300}
Description: File blocked via SRP Rule GUID for Disallowed rule C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*

Here is mine from Simple Windows Hardening, I get a lot of these DesktopAppInstaller blocks with SWH, if I remember correctly Andy said its not an issue, I don't remember why he said these blocks occur though.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
Attempted Path = C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.10173.0_x64__8wekyb3d8bbwe\WindowsPackageManagerServer.exe
SRP Rule GUID = {1016bbe0-a716-428b-822e-5e544b6a3300}
Description: File blocked via SRP Rule GUID for Disallowed rule C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*

Here is mine from Simple Windows Hardening, I get a lot of these DesktopAppInstaller blocks with SWH, if I remember correctly Andy said its not an issue, I don't remember why he said these blocks occur though.
Thanks ;)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Access to C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.10173.0_x64__8wekyb3d8bbwe\WindowsPackageManagerServer.exe has been restricted by your Administrator by location with policy rule {1016bbe0-a716-428b-822e-5e544b6a3300} placed on path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller*.
It is related to the option :
<MORE SRP ...> <Block AppInstaller> = ON

When you open Microsoft Store, it tries to execute WindowsPackageManagerServer.exe. This is probably related to the management (by developers) of applications distributed via Microsoft Store.
If you only want to install/update the applications via Microsoft Store, then you can ignore the blocks of WindowsPackageManagerServer.exe.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,237
It is related to the option :
<MORE SRP ...> <Block AppInstaller> = ON

When you open Microsoft Store, it tries to execute WindowsPackageManagerServer.exe. This is probably related to the management (by developers) of applications distributed via Microsoft Store.
If you only want to install/update the applications via Microsoft Store, then you can ignore the blocks of WindowsPackageManagerServer.exe.
Thanks Andy, explains it perfectly.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
It is related to the option :
<MORE SRP ...> <Block AppInstaller> = ON

When you open Microsoft Store, it tries to execute WindowsPackageManagerServer.exe. This is probably related to the management (by developers) of applications distributed via Microsoft Store.
If you only want to install/update the applications via Microsoft Store, then you can ignore the blocks of WindowsPackageManagerServer.exe.
Thank you!
 
F

ForgottenSeer 97327

@Andy Ful

Am I correct that Microsoft store apps can be installed and updated withOUT elevation?

I am asking because I got a laptop for an older relative and was thinking about installing H_C and running the relative user account in Standard User rights with UAC set to silently deny elevation. I have found the programs they use in MS Store, so that would be a nice benefit (using hard rights separation through standard user in stead of UAC).
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful

Am I correct that Microsoft store apps can be installed and updated withOUT elevation?

Mostly, Yes (with some exceptions).
If this is the UWP app, it is updated via service with high privileges (no UAC prompt). It can be automatically updated also on SUA without prompts. Any UWP app is installed in the directory:
c:\Program Files\WindowsApps\
The already installed UWP apps are also visible in the Microsoft Store user's Library.

Some applications distributed via MS Store are not UWP apps, but desktop applications. They are installed in %ProgramFiles% or in the %UserProfile%. Also, they are not updated via Microsoft Store. Such applications can trigger UAC prompts.

If you want to avoid UAC prompts, you have to check that installed applications are UWP apps.
Some desktop (non-UWP) applications can also auto-update without the UAC prompt:
  1. The update is done via scheduled tasks with high privileges (Edge, Google Chrome, Firefox, etc.).
  2. The update is done fully in ProgramData or user AppData folders (no elevation, locations whitelisted in the H_C Recommended Settings).
 
Last edited:

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
A couple things about FirewallHardening

1. You should have the ability to select multiplie executables at once (Assuming it's something that actually can be implemented?)

2. When scrolling trough any.run and JOESandbox, I noticed that the LOLbin's that FirewallHardening block does not cover all the LOLbin's in the .NET Framework folders that are abused by malware, which I had to manually add, one by one, which happens to be exactly why I asked about the ability to add several files at once. Similarly, something to note is that I see some cryptominers use Console Window Host (aka conhost.exe) to evade detection (Refrence), and blocking it does not seem to cause any issues (atleast on my end), so it's something that should be added to the blocked LOLbin's.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
1. You should have the ability to select multiplie executables at once (Assuming it's something that actually can be implemented?)

2. When scrolling trough any.run and JOESandbox, I noticed that the LOLbin's that FirewallHardening block does not cover all the LOLbin's in the .NET Framework folders that are abused by malware, which I had to manually add, one by one, which happens to be exactly why I asked about the ability to add several files at once.

I do not plan to add the ability to select multiple executables. FirewallHardening is intended to block the often abused LOLBins, especially those that can run DLLs. The problem with blocking outbound connections is that no one knows the side effects for most LOLBins, so I am very conservative when adding new LOLBins.

Similarly, something to note is that I see some cryptominers use Console Window Host (aka conhost.exe) to evade detection (Refrence), and blocking it does not seem to cause any issues (atleast on my end), so it's something that should be added to the blocked LOLbin's.

I think that I should add conhost.exe and RunScriptHelper.exe to the FH BlockList. They are abused in the wild and there is no reason to make outbound connections via conhost.exe or RunScriptHelper.exe.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
One idea is to monitor what IPs are blocked for one week and instead of blocking all connections have a whitelist of microsoft official IP addresses.

On most computers, the FirewallHardening blocks are related to Microsoft telemetry (can be ignored).
The IP whitelist is a kind of solution but it will be different on different computers - the whitelist must be created individually by the user. Some applications can use rundll32.exe or inject the DLLs into explorer.exe to make outbound connections. In such cases, the whitelist (created by the user) would be a good solution. But, FirewallHardening is not this kind of software. There are known (more complex) applications for that. It is also possible to manually configure Windows Firewall.
 

Azazel

Level 4
Jun 15, 2023
194
Are these the correct hardening registry keys use by hard configurator when they turned on:
Windows Registry Editor Version 5.00 [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fAllowUnsolicited"=dword:00000000 "fAllowToGetHelp"=dword:00000000 "fDenyTSConnections"=dword:00000001 [HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS] "AllowRemoteShellAccess"=dword:00000000 [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000004

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="0"
 
  • Like
Reactions: simmerskool

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
Are these the correct hardening registry keys use by hard configurator when they turned on:
Windows Registry Editor Version 5.00 [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fAllowUnsolicited"=dword:00000000 "fAllowToGetHelp"=dword:00000000 "fDenyTSConnections"=dword:00000001 [HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS] "AllowRemoteShellAccess"=dword:00000000 [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000004

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="0"
Yes, see program description list of things blocked:

Github AndyFul/Hard_Configurator as well as the very detailed manual available from that page.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Are these the correct hardening registry keys use by hard configurator when they turned on:
Windows Registry Editor Version 5.00 [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fAllowUnsolicited"=dword:00000000 "fAllowToGetHelp"=dword:00000000 "fDenyTSConnections"=dword:00000001 [HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS] "AllowRemoteShellAccess"=dword:00000000 [HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry] "Start"=dword:00000004

Yes and No.
In the H_C manual, I do not use the registry keys in the form that could be directly imported via the *.reg file. So, I often skip the brackets [ ] and use HKLM instead of the full Hive name HKEY_LOCAL_MACHINE. This information is not for users who want to tweak the Windows Registry via *.reg files.


Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="0"
These are OK (can be used via the *.reg file).
 
Last edited:

Azazel

Level 4
Jun 15, 2023
194
Yes and No.
In the H_C manual, I do not use the registry keys in the form that could be directly imported via the *.reg file. So, I often skip the brackets [ ] and use HKLM instead of the full Hive name HKEY_LOCAL_MACHINE. This information is not for users who want to tweak the Windows Registry via *.reg files.



These are OK (can be used via the *.reg file).
so if i replace HKLM with HKEY_LOCAL_MACHINE then the above scripts will work?
 

Azazel

Level 4
Jun 15, 2023
194

Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnsolicited"=dword:00000000
"fAllowToGetHelp"=dword:00000000
"fDenyTSConnections"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS]
"AllowRemoteShellAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004

What are the Defaults?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top