New Update Simple Windows Hardening

S

Semlr

New Member
Aug 5, 2020
4
Andy Ful said:
@Semlr,
Could you please test if this issue is also present for some other applications:
github.com

Hard_Configurator/Hard_Configurator_setup_5.1.1.2.exe at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - Hard_Configurator/Hard_Configurator_setup_5.1.1.2.exe at master · AndyFul/Hard_Configurator
github.com github.com
github.com

ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender

Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
github.com github.com
Thank you.

What version of a virtual machine do you use?
Click to expand...

Thanks for your response.
Here are my results:

Hard_Configurator:
  • Same error
ConfigureDefender-repo (hardening tools?):
  • Configuire Defender started just fine,
  • DocumentsAntiExploits same error,
  • Network hardening startet just fine.
VM:
Hyper V, Gen2-setup:
client:
1596630683667.png

& Kaspersky Antivirus (just as a sidenote, it did not interfere)
 
  • Like
Reactions: Protomartyr, Andy Ful and Gandalf_The_Grey
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Semlr said:
Thanks for your response.
Here are my results:

Hard_Configurator:
  • Same error
ConfigureDefender-repo (hardening tools?):
  • Configuire Defender started just fine,
  • DocumentsAntiExploits same error,
  • Network hardening startet just fine.
VM:
Hyper V, Gen2-setup:
client:
View attachment 244997
& Kaspersky Antivirus (just as a sidenote, it did not interfere)
Click to expand...
Thanks. I am trying to reproduce this issue on the official Hyper-V Windows 10 Enterprise Evaluation ver. 2004 build 19041.329, but everything works well. Anyway, this is Hyper-V Gen 1.
Do you have a link to the official Gen 2 Hyper-V Windows 10 virtual machine?
 
  • Like
Reactions: harlan4096, oldschool and Protomartyr
S

Semlr

New Member
Aug 5, 2020
4
Andy Ful said:
Thanks. I am trying to reproduce this issue on the official Hyper-V Windows 10 Enterprise Evaluation ver. 2004 build 19041.329, but everything works well. Anyway, this is Hyper-V Gen 1.
Do you have a link to the official Gen 2 Hyper-V Windows 10 virtual machine?
Click to expand...
I created a new vm and installed windows 10 pro 2004 using the official iso (created by media creation tool).
Is it possible to collect a trace log or stack trace for autoit-scripts?
Currently we only know the line number (32692), if this is accurate.
 
  • Like
Reactions: Protomartyr
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Semlr said:
I created a new vm and installed windows 10 pro 2004 using the official iso (created by media creation tool).
Is it possible to collect a trace log or stack trace for autoit-scripts?
Currently we only know the line number (32692), if this is accurate.
Click to expand...
The final Autoit executable contains the code made by developer + many Autoit built-in functions added in the process of compilation. It is possible to decompile 32-bit executables via Exe2Aut tool. But, you have 64-bit version.
It is probably possible to install Autoit in the VM and run the script (without compilation). Then the error will show the line in the concrete Autoit function.
 
Last edited:
  • Like
Reactions: Protomartyr, ErzCrz and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Semlr said:
I created a new vm and installed windows 10 pro 2004 using the official iso (created by media creation tool).
...
Click to expand...
I have just finished testing on the VM like the above one - no problems. So, it seems that the only way to identify the issue is to run the source scripts (not compiled) on your virtual machine.
If you would like to do this, then you can use the source from:
github.com

Hard_Configurator/src/Hard_Configurator.zip at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
github.com github.com
The archive has to be unpacked to the Windows folder so the scripts will be placed in the folder: c:\Windows\Hard_Configurator .
Installation of Autoit is necessary:
For testing H_C and DocumentsAntiExploit the below scripts can be run from the Explorer:
c:\Windows\Hard_Configurator\Hard_Configurator.au3
c:\Windows\Hard_Configurator\DocumentsAntiExploit.au3
These scripts use other files so all source scripts are required in the Hard_Configurator folder.
 
  • Like
Reactions: Protomartyr and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Semlr said:
Thank you for the guideline.
I executed the DocumentsAntiExploit.au3 and
I found a clue:
View attachment 245015

The logged on user does not have administrator rights (standard user).
Admin rights are granted by another user account which is local administrator.
Maybe this "mismatch" (logged on user vs user which granted admin rights) cause this error?
Click to expand...
I forgot that the archive is password protected 🙃:
hard_configurator5111

This function works well (both on Admin Account or SUA) and normally the variable $User[0] contains the SID of the Current User. I think that probably some security prevents reading the SID.

Please replace the function _GetCurrentUserSID() with this code:
Code: 
Func _GetCurrentUserSID()
    Local $User = _Security__LookupAccountName(_GetCurrentUser(),@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return 1
;    Return $User[0]
EndFunc

But do not apply restrictions.
 
Last edited:
  • Like
Reactions: Protomartyr, oldschool and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
@Semlr,
Thanks for the support. I will add an alert about such an event and the program will gently exit, instead of showing the error.(y):)
The CurrentUser SID is essential only for DocumentsAntiExploit tool, and the code related to _GetCurrentUserSID can be removed in actual versions of H_C, SwitchDefaultDeny, and SWH.
 
Last edited:
  • Like
Reactions: Protomartyr, Moonhorse, oldschool and 4 others
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
After a month of trying it out on my desktop with windows defender on MAX (with protected folders enabled) running as standard user, I installed identical config on my girlfriends laptop.

Security becomes tedious and dull wilt Andy Full's hardening tools. NO PROBLEMS, NO INFECTIONS, NO POPUPS, NO INCOMPATIBILITIES :sleep:
 
  • Like
  • +Reputation
Reactions: paulderdash, Protomartyr, ForgottenSeer 85179 and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Lenny_Fox said:
After a month of trying it out on my desktop with windows defender on MAX (with protected folders enabled) running as standard user, I installed identical config on my girlfriends laptop.

Security becomes tedious and dull wilt Andy Full's hardening tools. NO PROBLEMS, NO INFECTIONS, NO POPUPS, NO INCOMPATIBILITIES :sleep:
Click to expand...
Yes, this setup can be used on many machines with popular software (high prevalence).
Anyway, the WD MAX Protection Level can produce some problems for people who like to try many applications, especially not very popular ones. A few ASR rules can produce problems, for example on laptops with firmware that uses WMI.
Controlled Folder Access can produce strange alarms ( “Protected memory access blocked” ) for applications that try to access the disk on the low level (usually disk cleaners, backup applications, etc.).
 
  • Like
Reactions: SeriousHoax, paulderdash, harlan4096 and 2 others
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Andy Ful said:
Yes, this setup can be used on many machines with popular software (high prevalence).
Anyway, the WD MAX Protection Level can produce some problems for people who like to try many applications, especially not very popular ones. A few ASR rules can produce problems, for example on laptops with firmware that uses WMI.
Controlled Folder Access can produce strange alarms ( “Protected memory access blocked” ) for applications that try to access the disk on the low level (usually disk cleaners, backup applications, etc.).
Click to expand...
It is a lenovo Yoga, she does not install software and WD runs on MAX for at least two years now without problems. The memory access blocked don't give problems either.
 
  • Like
Reactions: Andy Ful, Protomartyr and oldschool
P

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
471
Hi

I just installed SWH in Shadow defender mode, and i can not find it on the Pc to manage the GUI. What to do?

What does the "Windows Hardening" feature actually do, what features does it contain?
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
pxxb1 said:
Hi

I just installed SWH in Shadow defender mode, and i can not find it on the Pc to manage the GUI. What to do?

What does the "Windows Hardening" feature actually do, what features does it contain?
Click to expand...
SWH is a portable application.
Read the first post in this thread for more info.
 
  • Like
Reactions: Protomartyr, ForgottenSeer 85179, [correlate] and 1 other person
P

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
471
Andy Ful said:
SWH is a portable application.
Read the first post in this thread for more info.
Click to expand...

Ok, now i see how to do.

Is it possible to get a notice when something is blocked instead of the silent d.o like now?

I am thinking of changing from NVT` s Syshardener to SWH but, it seems to me that Syshardener gives more protection. Am i right?
 
Last edited:
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
pxxb1 said:
...
Is it possible to get a notice when something is blocked instead of the silent d.o like now?
Click to expand...
When something is blocked, then usually you get the Windows alert. The details can be seen in the SWH Log. Some actions are rarely blocked by Windows without alert (like in SysHardener).
pxxb1 said:
I am thinking of changing from NVT` s Syshardener to SWH but, it seems to me that Syshardener gives more protection. Am i right?
Click to expand...
SysHardener default settings are not so restrictive as the SWH default setup. So, usually the opposite is true.

You can make SysHardener stronger by ticking all options, but this is not recommended because SysHardener does not have a log of blocked processes, so you will have problems with identifying what setting is the issue. It does not also allow whitelisting, so one blocked BAT script required to run Intel or AMD firmware, will cause you to disable protection of all BAT scripts, etc.

Most of these problems can be solved when using SWH + FirewallHardening. The FirewallHardening tool is an enhanced version of the SysHardener part related to blocking Internet access to LOLBins:
github.com

ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender

Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
github.com github.com

This setup is stronger and safer for the user than tweaked SysHardener, because of using detailed Logs and whitelisting.

If you need simple and basic protection (no whitelisting), then you can use SysHardener on default settings. If you need something stronger and more comprehensive then go for SWH.
 
Last edited:
  • Like
  • +Reputation
Reactions: Deletedmessiah, AriDfoix, Protomartyr and 8 others
P

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
471
Andy Ful said:
When something is blocked, then usually you get the Windows alert. The details can be seen in the SWH Log. Some actions are rarely blocked by Windows without alert (like in SysHardener).

SysHardener default settings are not so restrictive as the SWH default setup. So, usually the opposite is true.

You can make SysHardener stronger by ticking all options, but this is not recommended because SysHardener does not have a log of blocked processes, so you will have problems with identifying what setting is the issue. It does not also allow whitelisting, so one blocked BAT script required to run Intel or AMD firmware, will cause you to disable protection of all BAT scripts, etc.

Most of these problems can be solved when using SWH + FirewallHardening. The FirewallHardening tool is an enhanced version of the SysHardener part related to blocking Internet access to LOLBins:
github.com

ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender

Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
github.com github.com

This setup is stronger and safer for the user than tweaked SysHardener, because of using detailed Logs and whitelisting.

If you need simple and basic protection (no whitelisting), then you can use SysHardener on default settings. If you need something stronger and more comprehensive then go for SWH.
Click to expand...

I see.

To sum it up. You mean that SWH is better because it logs and blocks and together with FH the protection is enhanced so it is equal to, or better, than SH?
 
  • Like
Reactions: Protomartyr, tsunami, Andy Ful and 2 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,430
Hard_Configurator Tools
South Park
South Park
Gandalf_The_Grey
    • Like
    • Hundred Points
New Update Patch Tuesday update (KB5041571) hits Copilot+ PCs running Windows 11 24H2
Replies
0
Views
293
Windows 11
Gandalf_The_Grey
Gandalf_The_Grey
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,111
Hard_Configurator Tools
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top