Run by Smartscreen utility

[Andy Ful]

Forgive my ignorance( not intentional) but when or how does the smart screen activate ? And does it only work if your running Microsoft Defender as your primary Av? The article seems to say it checks downloads and also related to web browser protection?

Hard_Configurator uses the "Check app and files" SmartCreen feature. It is a SmartScreen file check integrated with Explorer. This feature is enabled by default in Windows 8+.
As I mentionned in my previous posts, it works with any AV.

 

[LennyFox]

@Andy Ful is there any difference between run-by-smartscreen and install-by-smartscreen? Is run maybe for exe's and insta;; for msi's?

 

[Andy Ful]

Do you use H_C?
"Install By SmartScreen" works only with H_C.
"Run By SmartScreen" works also without H_C.

 

[LennyFox]

@Andy Ful

Well yes and no I first configured H_C the way I want it on my old laptop with Windows 11 Home (in SWH mode plus blocking LoLbins for standard users). Than exported the Safer registry keys. Next I deïnstalled H_C and installed WHHL. The next bit might trigger your scepcis. Next I removed the Safer key with regedit and imported the H_C based Safer SRP regkeys.

When my new laptop arrived I just disabled SAC, ran the regtweak to enable SRP and copied the WDAC.cip and SRP.rep from my old laptop to my new (with same partitions and folder structure on Data partition) and deleted the WHHL program data folder on my old laptop (my wife is now using it and she does not install software and I know where the active CIP files are located).

Yesterday I noticed that I was missing the right click "Run By SmartScreen" or "Install By SmartScreen", but I just downloaded it with the your other hardening tools (documents anti exploit and fire wall hardening and configure defender) from GitHub. Althoug I have a Windows 11 Pro now, using your programs is much easier.

I have ran the H_C in SWH with exytra LoLBins block for standard user for years and WHHL WDAC-ISG runs fine for three months now (new laptop is same model as old with a better CPU, so I don't expect any problems).

 

[Andy Ful]

I am not sure what you did and which restrictions currently work.
You can still use H_C to manage the setup (except for WDAC policies).
But, do not run WHHLight (it will remove the LOLBin restrictions and add some non-SRP hardening).

 

[LennyFox]

Both WDAC-ISG and SRP allow Windows, Program Files, Program Files (x86) and ProgramData\\Microsoft\Windows Defender\Platform. SRP blocks the file extensions set by H_C for standard users with your extra Windows 'UAC hole' folders protection plus your exe/msi/tmp blocks for LocalLow and zip extraction folders +your H_C sponsor blocks and allows exceptions for lnk from the safe locations you specified in H_C. I am using Outlook and only Windows build-in zip, so don't need the exe/msi/tmp blocks of the other archivers and email programs. I added (exe/msi/tmp) deny for my public and download folder plus Documents/Images/Music/Video folders on D (data) partiion. I have been running your H_C config in SWH-mode plus sponsor blocks for standard with CD on MAX with all ASR rules enabled since I bought my previous laptop in 2021. Only when HP support assistant tells me it has new drivers, I have to enable CMD through reg-file temporarely.

I know you often post that SWH compared to SWH + blocking LoLbins is onlly marginally better protection. When I disable CMD the SRP block warning seems to overrule the CDM disabled and no access allowed messages. For my wife it is clearer. When she would encounter an SRP block she would know the admin set policies to block it, while the others may confuse here that something is malfunctioning. So for me it is more a useability tweak than a security tweak to add LoLBin blocks.

 

[Andy Ful]

I added (exe/msi/tmp) deny for my public and download folder plus Documents/Images/Music/Video folders on D (data) partiion.

How?

 

[LennyFox]

How?

Asking for a unique GUIDs with Powershell and overriding the values H_C created for emails and archivers I don't use. I checked all the blocks I added in those folders using notepad. I used other GUID's so when I borked up I could reset everything with SWH or H_C.

 

[Andy Ful]

Asking for a unique GUIDs with Powershell and overriding the values H_C created for emails and archivers I don't use. I checked all the blocks I added in those folders using notepad. I used other GUID's so when I borked up I could reset everything with SWH or H_C.

OK.
You cannot run H_C, too. This would destroy your setup.

 

[Andy Ful]

It would be easier to apply the setup as follows:

1. Run WHHLight and apply WDAC with your preferred Whitelits (for example include Program Files and Program Files (x86)).
2. Use H_C Recommended Settings + preferred LOLBins + any adjustments you want.
3. Use ConfigureDefender MAX settings + FirewallHardening H_C Recommended settings.
4. Do not run WHHLight, because it will restore the initial settings.

In this way, you can get your setup and ability to manage it via H_C (except WDAC policies).
The folders whitelisted in UserSpace by H_C (%ProgramData% and %UserProfile%\AppData) are automatically protected by WDAC ISG.
The rest of UserSpace (including Public and Downloads folders + Documents/Images/Music/Video folders) will be automatically blocked on any partition.

 

[Practical Response]

How?

Generative AI is experimental but really cool on how it will generate the commands you would need to copy into PowerShell. A quick Google search asking how to do so will generate this instantly.

 

[Andy Ful]

Generative AI is experimental but really cool on how it will generate the commands you would need to copy into PowerShell. A quick Google search asking how to do so will generate this instantly.

Yes, this could be done in many ways. But, the easiest way for LennyFox was using H_C registry entries as a starting point (he already used them in his config). By the way, using PowerShell for creating GUIDs was unnecessary.