New Update Simple Windows Hardening

Semlr

New Member
Aug 5, 2020
4
@Semlr,
Could you please test if this issue is also present for some other applications:
Thank you.

What version of a virtual machine do you use?

Thanks for your response.
Here are my results:

Hard_Configurator:
  • Same error
ConfigureDefender-repo (hardening tools?):
  • Configuire Defender started just fine,
  • DocumentsAntiExploits same error,
  • Network hardening startet just fine.
VM:
Hyper V, Gen2-setup:
client:
1596630683667.png

& Kaspersky Antivirus (just as a sidenote, it did not interfere)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Thanks for your response.
Here are my results:

Hard_Configurator:
  • Same error
ConfigureDefender-repo (hardening tools?):
  • Configuire Defender started just fine,
  • DocumentsAntiExploits same error,
  • Network hardening startet just fine.
VM:
Hyper V, Gen2-setup:
client:
View attachment 244997
& Kaspersky Antivirus (just as a sidenote, it did not interfere)
Thanks. I am trying to reproduce this issue on the official Hyper-V Windows 10 Enterprise Evaluation ver. 2004 build 19041.329, but everything works well. Anyway, this is Hyper-V Gen 1.
Do you have a link to the official Gen 2 Hyper-V Windows 10 virtual machine?
 

Semlr

New Member
Aug 5, 2020
4
Thanks. I am trying to reproduce this issue on the official Hyper-V Windows 10 Enterprise Evaluation ver. 2004 build 19041.329, but everything works well. Anyway, this is Hyper-V Gen 1.
Do you have a link to the official Gen 2 Hyper-V Windows 10 virtual machine?
I created a new vm and installed windows 10 pro 2004 using the official iso (created by media creation tool).
Is it possible to collect a trace log or stack trace for autoit-scripts?
Currently we only know the line number (32692), if this is accurate.
 
  • Like
Reactions: Protomartyr

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I created a new vm and installed windows 10 pro 2004 using the official iso (created by media creation tool).
Is it possible to collect a trace log or stack trace for autoit-scripts?
Currently we only know the line number (32692), if this is accurate.
The final Autoit executable contains the code made by developer + many Autoit built-in functions added in the process of compilation. It is possible to decompile 32-bit executables via Exe2Aut tool. But, you have 64-bit version.
It is probably possible to install Autoit in the VM and run the script (without compilation). Then the error will show the line in the concrete Autoit function.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I created a new vm and installed windows 10 pro 2004 using the official iso (created by media creation tool).
...
I have just finished testing on the VM like the above one - no problems. So, it seems that the only way to identify the issue is to run the source scripts (not compiled) on your virtual machine.
If you would like to do this, then you can use the source from:
The archive has to be unpacked to the Windows folder so the scripts will be placed in the folder: c:\Windows\Hard_Configurator .
Installation of Autoit is necessary:
For testing H_C and DocumentsAntiExploit the below scripts can be run from the Explorer:
c:\Windows\Hard_Configurator\Hard_Configurator.au3
c:\Windows\Hard_Configurator\DocumentsAntiExploit.au3
These scripts use other files so all source scripts are required in the Hard_Configurator folder.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Thank you for the guideline.
I executed the DocumentsAntiExploit.au3 and
I found a clue:
View attachment 245015

The logged on user does not have administrator rights (standard user).
Admin rights are granted by another user account which is local administrator.
Maybe this "mismatch" (logged on user vs user which granted admin rights) cause this error?
I forgot that the archive is password protected 🙃:
hard_configurator5111

This function works well (both on Admin Account or SUA) and normally the variable $User[0] contains the SID of the Current User. I think that probably some security prevents reading the SID.

Please replace the function _GetCurrentUserSID() with this code:
Code:
Func _GetCurrentUserSID()
    Local $User = _Security__LookupAccountName(_GetCurrentUser(),@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return 1
;    Return $User[0]
EndFunc

But do not apply restrictions.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Semlr,
Thanks for the support. I will add an alert about such an event and the program will gently exit, instead of showing the error.(y):)
The CurrentUser SID is essential only for DocumentsAntiExploit tool, and the code related to _GetCurrentUserSID can be removed in actual versions of H_C, SwitchDefaultDeny, and SWH.
 
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
After a month of trying it out on my desktop with windows defender on MAX (with protected folders enabled) running as standard user, I installed identical config on my girlfriends laptop.

Security becomes tedious and dull wilt Andy Full's hardening tools. NO PROBLEMS, NO INFECTIONS, NO POPUPS, NO INCOMPATIBILITIES :sleep:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
After a month of trying it out on my desktop with windows defender on MAX (with protected folders enabled) running as standard user, I installed identical config on my girlfriends laptop.

Security becomes tedious and dull wilt Andy Full's hardening tools. NO PROBLEMS, NO INFECTIONS, NO POPUPS, NO INCOMPATIBILITIES :sleep:
Yes, this setup can be used on many machines with popular software (high prevalence).
Anyway, the WD MAX Protection Level can produce some problems for people who like to try many applications, especially not very popular ones. A few ASR rules can produce problems, for example on laptops with firmware that uses WMI.
Controlled Folder Access can produce strange alarms ( “Protected memory access blocked” ) for applications that try to access the disk on the low level (usually disk cleaners, backup applications, etc.).
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Yes, this setup can be used on many machines with popular software (high prevalence).
Anyway, the WD MAX Protection Level can produce some problems for people who like to try many applications, especially not very popular ones. A few ASR rules can produce problems, for example on laptops with firmware that uses WMI.
Controlled Folder Access can produce strange alarms ( “Protected memory access blocked” ) for applications that try to access the disk on the low level (usually disk cleaners, backup applications, etc.).
It is a lenovo Yoga, she does not install software and WD runs on MAX for at least two years now without problems. The memory access blocked don't give problems either.
 

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
484
Hi

I just installed SWH in Shadow defender mode, and i can not find it on the Pc to manage the GUI. What to do?

What does the "Windows Hardening" feature actually do, what features does it contain?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Hi

I just installed SWH in Shadow defender mode, and i can not find it on the Pc to manage the GUI. What to do?

What does the "Windows Hardening" feature actually do, what features does it contain?
SWH is a portable application.
Read the first post in this thread for more info.
 

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
484
SWH is a portable application.
Read the first post in this thread for more info.

Ok, now i see how to do.

Is it possible to get a notice when something is blocked instead of the silent d.o like now?

I am thinking of changing from NVT` s Syshardener to SWH but, it seems to me that Syshardener gives more protection. Am i right?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
...
Is it possible to get a notice when something is blocked instead of the silent d.o like now?
When something is blocked, then usually you get the Windows alert. The details can be seen in the SWH Log. Some actions are rarely blocked by Windows without alert (like in SysHardener).
I am thinking of changing from NVT` s Syshardener to SWH but, it seems to me that Syshardener gives more protection. Am i right?
SysHardener default settings are not so restrictive as the SWH default setup. So, usually the opposite is true.

You can make SysHardener stronger by ticking all options, but this is not recommended because SysHardener does not have a log of blocked processes, so you will have problems with identifying what setting is the issue. It does not also allow whitelisting, so one blocked BAT script required to run Intel or AMD firmware, will cause you to disable protection of all BAT scripts, etc.

Most of these problems can be solved when using SWH + FirewallHardening. The FirewallHardening tool is an enhanced version of the SysHardener part related to blocking Internet access to LOLBins:

This setup is stronger and safer for the user than tweaked SysHardener, because of using detailed Logs and whitelisting.

If you need simple and basic protection (no whitelisting), then you can use SysHardener on default settings. If you need something stronger and more comprehensive then go for SWH.
 
Last edited:

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
484
When something is blocked, then usually you get the Windows alert. The details can be seen in the SWH Log. Some actions are rarely blocked by Windows without alert (like in SysHardener).

SysHardener default settings are not so restrictive as the SWH default setup. So, usually the opposite is true.

You can make SysHardener stronger by ticking all options, but this is not recommended because SysHardener does not have a log of blocked processes, so you will have problems with identifying what setting is the issue. It does not also allow whitelisting, so one blocked BAT script required to run Intel or AMD firmware, will cause you to disable protection of all BAT scripts, etc.

Most of these problems can be solved when using SWH + FirewallHardening. The FirewallHardening tool is an enhanced version of the SysHardener part related to blocking Internet access to LOLBins:

This setup is stronger and safer for the user than tweaked SysHardener, because of using detailed Logs and whitelisting.

If you need simple and basic protection (no whitelisting), then you can use SysHardener on default settings. If you need something stronger and more comprehensive then go for SWH.

I see.

To sum it up. You mean that SWH is better because it logs and blocks and together with FH the protection is enhanced so it is equal to, or better, than SH?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top