Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
I would say it's in the same folder, H_C is installed ;)

There I, of course, immediately looked, but there it is not. It turns out that saving takes place in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\Whitelist
Maybe you need a button to save WhiteList to a regfile?
You can export/import setting profiles & whitelist profiles into one backup file by using:
<Tools><Manage Profiles BACKUP>
The backup is in the folder .\Backup.
Do not use the name DefaultBackup.hbp for your custom backup, because this will overwrite the H_C native backup.
 
Last edited:

plat

Level 29
Top Poster
Sep 13, 2018
1,793
What would cause H_C to crash? It's isolated, no other errors in conjunction with it and it hasn't crashed since.

Just curious but request details so as not to instigate this again. Can't recall having done anything except change a setting from OFF to ON. Nothing overtly happened.

hc crash.PNG
[/spoiler[
 

aldist

Level 2
Jul 22, 2020
59
You can export/import setting profiles & whitelist profiles into one backup file by using:
<Tools><Manage Profiles BACKUP>
The backup is in the folder .\Backup.
Thank! This is useful knowledge.
Furthermore, the H_C is intentionally hidden to avoid the uninstallation by casual users, children, etc. (when their computers are configured by advanced users).
When installing Р_С, the "hidden" attribute is automatically set for this folder? My folder is visible, I did not remove the attribute. In any case, it's not a problem to set this attribute yourself.
 

aldist

Level 2
Jul 22, 2020
59
It may be necessary to protect the "safer" registry hive from outside changes (without Hard_Configurator), options "Secure Profile" or "Secure Rules".
Regfile srp_disable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00040000

disables SRP protection, and after that SwitchDefaultDeny (SDD) determines the SRP status correctly, but cannot enable it until the regfile is applied srp_enable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00000000

11.png
 

aldist

Level 2
Jul 22, 2020
59
In the main window H_C, the protection status (ON / OFF) can be determined only from the values in the VALUE table. Agree, this is very unfriendly and uninformative even for an advanced user. Replacing the button with a switch like the SDD would make it clear even to an inexperienced home user.
22.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Thank! This is useful knowledge.When installing Р_С, the "hidden" attribute is automatically set for this folder? My folder is visible, I did not remove the attribute. In any case, it's not a problem to set this attribute yourself.
H_C installation is not visible (hidden) when you use "Apps & features" to see the installed applications. It is not related to the "hidden" file/folder attribute.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
What would cause H_C to crash? It's isolated, no other errors in conjunction with it and it hasn't crashed since.

Just curious but request details so as not to instigate this again. Can't recall having done anything except change a setting from OFF to ON. Nothing overtly happened.

Probably some other security feature tries to prevent H_C.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
It may be necessary to protect the "safer" registry hive from outside changes (without Hard_Configurator), options "Secure Profile" or "Secure Rules".
Regfile srp_disable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00040000

disables SRP protection, and after that SwitchDefaultDeny (SDD) determines the SRP status correctly, but cannot enable it until the regfile is applied srp_enable.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"DefaultLevel"=dword:00000000

View attachment 244620
The changes in the HKLM Registry Hive require elevation of privileges.
The SRP settings in the H_C are intentionally configured to allow processes with Admin rights (to avoid problems related to blocking system processes). It means that the malware running with Admin rights do not need to disable SRP, because SRP does not see it anymore.
This scenario is not an issue in the home environment on well updated Windows with well updated software. The H_C Recommended Settings are very restrictive for processes running with standard privileges, so the malware has very small chances to run and even fewer chances to elevate.

Switching OFF the restrictions does a lot more than simply changing the SRP DefaultLevel. It is intended to remove the SRP restrictions temporarily, but remembers the last restrictions (so they can be restored with one mouse click). Changing the SRP DefaultLevel does not switch OFF the restrictions, so they cannot be switched ON. SwitchDefaultDeny is not intended to solve the configuration problems, but it is intended to simplify the installation of applications in the UserSpace.

All the above and probably most of your future questions were already explained (several times) on this forum. But, the quickest way is simply to read the H_C manual. You can start from FAQ. :)(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Do you think that the (link ->) protection of such a plan (<- link) would be excessive? In the example shown, the rules cannot be changed from outside this program. You do not need to disable this protection to change the rules from within this program.
I do not use WFC, so I cannot help. Although restricting firewall connections can help, it cannot stop the connections of many malwares except when blocking svchost and taskhost connections (and maybe some others). Such a setup requires much attention/maintenance and can be painful for most users.

In the example shown, the rules cannot be changed from outside this program.
From the www.binisoft.org:
"Windows Firewall Control doesn't do any packet filtering and does not block or allow any connection. This is done by Windows Firewall itself based on the existing firewall rules. "
It means that the settings applied by WFC can be changed from outside WFC by elevated malware.

Edit (thanks to @SeriousHoax).
There is also additional information about WFC tamper protection:
"Disable the ability of other programs to tamper Windows Firewall rules and state."
So, tampering by the malware can be harder than I thought.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
In the main window H_C, the protection status (ON / OFF) can be determined only from the values in the VALUE table. Agree, this is very unfriendly and uninformative even for an advanced user. Replacing the button with a switch like the SDD would make it clear even to an inexperienced home user.
View attachment 244621
The H_C is too complex for a simple GUI. Current GUI looks strange in the beginning, but in fact, it is probably most usable in practice after some time of using the H_C. But, nothing is perfect, so probably a better GUI exists. Unfortunately, this GUI has sometimes problems with display rescaling. Please try to make another GUI and we can discuss if it could be better for advanced users.
The arguments related to inexperienced users are not relevant, because H_C should not be used by them. I prepared the SwitchDefaultDeny tool for them.
 
Last edited:

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,876
From the www.binisoft.org:
"Windows Firewall Control doesn't do any packet filtering and does not block or allow any connection. This is done by Windows Firewall itself based on the existing firewall rules. "
It means that the settings applied by WFC can be changed from outside WFC by elevated malware.
It has an option to secure rules though which states that windows firewall rules can't be alerted outside of WFC . The statement above is totally the opposite. I'm confused now 🤔
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
It has an option to secure rules though which states that windows firewall rules can't be alerted outside of WFC . The statement above is totally the opposite. I'm confused now 🤔
Any such protection can be bypassed by elevated processes. But how hard this would be, can depend on the protection applied. It can be the protection against tampering with standard rights, or it can be performed via the special driver, etc. In my previous post, I referred to the first possibility. I do not know how strong can be WFC tampering protection (against the processes running with high or system integrity level), that is a question to the developer. From what you have posted, it can be stronger than I concluded from the :
"Windows Firewall Control doesn't do any packet filtering and does not block or allow any connection. This is done by Windows Firewall itself based on the existing firewall rules. "
 

aldist

Level 2
Jul 22, 2020
59
I do not use WFC, so I cannot help.
No, no, I don't need help with WFC, I know him very well. I just suggested that you consider using the same registry hiew protection in H_C as implemented in WFC.
It means that the settings applied by WFC can be changed (without a problem) from outside WFC by elevated malware.
This is not possible with Secure Rules and Secure Profiles enabled.
Current GUI looks strange in the beginning
You can get used to the current interface, I'm used to it. Without changing the interface globally and without changing the two bottom buttons, is it possible to add such a simple indicator?
ScreenShot_269.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
No, no, I don't need help with WFC, I know him very well. I just suggested that you consider using the same registry hiew protection in H_C as implemented in WFC.This is not possible with Secure Rules and Secure Profiles enabled.You can get used to the current interface, I'm used to it. Without changing the interface globally and without changing the two bottom buttons, is it possible to add such a simple indicator?
View attachment 244675
Adding more buttons is not necessary and they do not look well in the H_C window. I have already solved this problem in version 6.0.0.0 by simply changing the colors (OFF --> blue).

SwitchOFF.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
No, no, I don't need help with WFC, I know him very well. I just suggested that you consider using the same registry hiew protection in H_C as implemented in WFC.
...
This would be useless. Did you read my previous post?
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-896094

Shortly:
  1. SRP in H_C is intentionally configured to not restrict the elevated processes. So, the elevated malware is not restricted by SRP with or without the Registry protection.
  2. There is no need to protect the SRP Registry values, because no malware bothers to change them. Furthermore, with the H_C restrictions malware has no chance to change them, because it will not be allowed to run.
  3. The Registry protection you think of will require a 3rd party, real-time driver. The H_C is a configurator, so the H_C processes can run only in a short time when you configure the settings and disappear from the system when you close the H_C (no real-time 3rd party software).
 
Last edited:

aldist

Level 2
Jul 22, 2020
59
I have already solved this problem in version 6.0.0.0 by simply changing the colors (OFF --> blue).
Okay, I welcome this decision. But you will be confused if you arrive at a blue traffic light. Colors are poorly chosen. Red - protection disabled, green - protection enabled. And the APPLY CHANGES button can be left red.
Ok, I read all your posts.
 
  • Like
Reactions: Protomartyr

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,602
Colors are poorly chosen. Red - protection disabled, green - protection enabled. And the APPLY CHANGES button can be left red.
Ok, I read all your posts.
The red color in H_C has different meaning. It warns the user that the option should be used with caution (see also <Tools> features). So, it would be adequate for disabling the protection. I like the blue choice - the restrictions are not disabled, but switched OFF (which is far more than disabling) and can be easily switched ON (red color not required). But, it is probably only a choice based on taste.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top