Guide | How To Software restriction Policies to Windows Home

[Windows_Security]

First create a restore point before applying any of the tweaks mentioned in this post

Intro
On Wilders Security forum a well know member with the nickname Lucy (helas, she is not active anymore, hope she is well) posted a registry file to use Software Restriction Policies on Windows Home versions also. The update should add SRP to both 32 and 64 bits versions of Windows Home.

What is SRP?
SRP stands for Software Restriction Policies. As the name says it can be used to restrict software on your PC. It has basically three modes disallowed, basic user and unrestricted.

Why only Basic User?
This SRP uses Basic User as default level. This setup allows Administrators to overrule the execution restrictions enforces by Software Restriction Policies (SRP). Because all software which is already installed needs elvation to update itself, SRP basic User allows Windows and your already installed programs in Program Files to update themselves from user space.

What is the benefit of this SRP?
This SRP blocks program executions which are not initiated by the user of regular programs already installed. This covers 95% of all malware intrusions. This 5% risk is the price you pay for having Software Restriction Policies which still keep the Administrator at the steering will (being able to auto-update already installed and install new with right click 'run as administrator). I will provide two tips (which are free programs) to close the last 5 percent.

Add Symantect tweak for MSI installs
By default explorer has an option to run any executable with elevated priveledges by using the "Run as Administrator". Strangely Microsoft does not provice this option for MSI installers. Symantec came up with a registry tweak to also provide the option for running MSI files as Adminstrator (link)

Save the text between --- (do not include --- lines) as Add_Run_MSI_Admin.reg and run it
--- start
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,\
00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

--- end


Add software restriction Policies
These SRP are the simplest in its form, they run Windows and Program Files folder for bot 32 and 64 bits as unrestricted, applies for all files (including extra's mentioned by @Av Gurus) and all users (except Administrator). I used windows variables %ProgramFiles%, %ProgramFiles(x86)% and %ProgramW6432% from this source and the GUID's for ProgramFiles, ProgramFilesX86 and ProgramFilesX64 from this source

Save the text between --- (do not include --- lines) as Add_SRP_Basic_User.reg and run it
--- start
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"DefaultLevel"=dword:00020000
"TransparentEnabled"=dword:00000002
"PolicyScope"=dword:00000001
"ExecutableTypes"=hex(7):57,00,53,00,48,00,00,00,27,00,57,00,53,00,46,00,00,00,\
57,00,53,00,46,00,00,00,57,00,53,00,43,00,00,00,57,00,53,00,00,00,56,00,42,\
00,53,00,00,00,56,00,42,00,45,00,00,00,56,00,42,00,00,00,55,00,52,00,4c,00,\
00,00,53,00,48,00,53,00,00,00,53,00,43,00,54,00,00,00,53,00,43,00,52,00,00,\
00,52,00,45,00,47,00,00,00,50,00,53,00,31,00,00,00,50,00,49,00,46,00,00,00,\
50,00,43,00,44,00,00,00,4f,00,43,00,58,00,00,00,4d,00,53,00,54,00,00,00,4d,\
00,53,00,50,00,00,00,4d,00,53,00,49,00,00,00,4d,00,53,00,43,00,00,00,4d,00,\
44,00,45,00,00,00,4d,00,44,00,42,00,00,00,4c,00,4e,00,4b,00,00,00,4a,00,53,\
00,45,00,00,00,4a,00,53,00,00,00,4a,00,41,00,52,00,00,00,49,00,53,00,50,00,\
00,00,49,00,4e,00,53,00,00,00,49,00,4e,00,46,00,00,00,48,00,54,00,41,00,00,\
00,48,00,4c,00,50,00,00,00,45,00,58,00,45,00,00,00,43,00,52,00,54,00,00,00,\
43,00,50,00,4c,00,00,00,43,00,4f,00,4d,00,00,00,43,00,4d,00,44,00,00,00,43,\
00,48,00,4d,00,00,00,42,00,41,00,54,00,00,00,42,00,41,00,53,00,00,00,41,00,\
44,00,50,00,00,00,41,00,44,00,45,00,00,00
"AuthenticodeEnabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{6D809377-6AF0-444B-8957-A3773F02200E}]
"LastModified"=hex(b):14,1f,bd,58,7c,11,d2,01
"Description"="Program Files on 64 bits"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,57,00,36,00,\
34,00,33,00,32,00,25,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}]
"LastModified"=hex(b):b2,19,7a,3d,7c,11,d2,01
"Description"="Program Files (x86) on 64 bits"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,28,00,78,00,38,00,36,00,29,00,25,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{905E63B6-C1BF-494E-B29C-65B732D3D21A}]
"LastModified"=hex(b):62,e4,e4,4e,7c,11,d2,01
"Description"="Program Files (default)"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,25,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{F38BF404-1D43-42F2-9305-67DE0B28FC23}]
"LastModified"=hex(b):28,e1,f9,62,79,11,d2,01
"Description"="Windows"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,00,00

--- end

Restart Windows

 

[Windows_Security]

These two free programs close the 5% risk you have when using UAC+SRP while loging in as Administrator

Closing AUTORUNS in user space risk (UAC does not warn)
There are a few autoruns locations which can be changed withouut triggering an UAC-prompt, because those autorun entries are located in Current User registry or in User folders. There is a freeware program which warns you when some programs make additions to these user space autoruns.

Thanks Kyle for this small but usefull freeware program: Startup Sentinel (download). Simply install and this set and forget program will warn you when something tries to survive reboot using user space auto entries (okay when you install software, suspicious when it happens out of the blue)


Closing 'command line' and 'run as administrator' risk (SRP allows this)
Windows has a some script interpreters and command shells which might be used to bypass Basic User SRP in a sneaky manner in poisoned documents. Also the user can still shoot her/him-self in the foot by running some malware as administrator

Image you could combine the best of business strength Next Machine learning solutions like Invincea or Cylance and combine it with a herd of reliable Antivirus engines to close these risks? Imagine this solution is free for home use, sounds to good to be true does not it?

There is a freeware program which uses machine learning/artificial intelligence to block zero day malware AND uses the most reliable engines of Virus Total to block known malware AND is free for non-commercial home use: VoodooShield (just make sure you download latest version 3.XX). Thanks Dan for this amazing program. Simply install VoodoooShield and set it to AUTO-pilot mode, then you are done.

You will be warned for risky command lines (okay when you install software, suspicious when it happens out of the blue) and uses the best of Next Gen machine learning (to block Zero days) and 57 traditional AV-engines (to block known malware).

Disclaimer
I have tested it on 32 bits. Edit: Member Av Gurus was so kind to test this on 64, it seems to work also on 64 bits (Thank you).

 

[Windows_Security]

Why use VS in AUTO-pilot mode?
VS in Smart mode (smart anti-executable mode) will block everything from user space when you are connected to the internet. Because most people go online as soon as they startup their PC and a lot of programs update from the internet, VS in SMART mode (the default) could interfere with updates. Therefore we use VS in AUTO-pilot mode which mimics the behaviour of a traditional antivirus.

VS in AUTO-pilot (AV) mode weaker than SMART (AE) mode?
Anti-Executable (whitelist) is stronger than Anti-Virus (blacklist). Ironically VS is tested most not in whitelisting/anti-executable mode (SMART or ALWAYS ON), but in a mode mimicking an AntiVirus. Cruel Sister has tested VoodooShield in AUTO-pilot mode (link). Dan (owner/developer of VS) has tested VS against Cylance and Sophos in AUTO-pilot mode even with VT blacklist scan disabled (link). So when VS is that good when using half of it capabilities (with the Anti-Executable smart lock off), why not use VS in this more relaxed (more user friendly) AUTO-pilot mode mimicking a SWAT squad of traditional antivirus solutions accompanied by an all seeing machine learning Zero day reconnaissance attack drone?

Why use SRP as Anti-Executable?
Any program updating to Windows or Program Files folders needs to elvate, because UAC protects these folders. SRP Basic User will automaticaly allow all processes with elevated rights to run from user space. This means a 100% update guarantee for programs installed in UAC protected folders. On top of that SRP basic User allows installing new programs from user space using right click 'run as administrator'. So this intended Admin hole in SRP keeps the Admin in control.

Preventing VS nag-screen
Another benefit is that SRP will block unintended executions from user space before VS does. When VS saves your ass (blocks a threat), VS will throw a NAG-screen to you a couple of times (asking you to buy PRO). Putting SRP before VS will prevent that.

 

[Windows_Security]

I have been asked: what if I don't dare to hack the registry.

Answer: SUS and VS (on AUTO-pilot) with an outbound firewall and a browser with AppCointainer (edge or Chrome) will will also keep you safe when practising safe hex

Nice thing with registry hacks is when you set a restore point before you apply it, it can be easily undone through windows restore.

 

[Av Gurus]

Do you think that Anvir can be used instead SUS (Startup Sentinel?) with this options enabled (picture)?

 

[Tony Cole]

I thought software restriction policies adopted by software like cryptoprevent were no longer effective?

 

[Andy Ful]

Windows_Security
Great post

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"DefaultLevel"=dword:00020000

What is the meaning of 00020000 value? The standard values are 00000000 (default deny) and 00040000 (default allow).

 

[Andy Ful]

I thought software restriction policies adopted by software like cryptoprevent were no longer effective?

Cryptoprevent and similar programs do not adopt default deny restrictions. They allow to run programs from many places in the User Space, contrary to default deny SRP, that blocks programs from running in the User Space ("DefaultLevel"=dword:00000000) . Default deny SRP can be ineffective mainly, when You choose to install programs . For this reason SRP is kindly supported by VS.

 

[Windows_Security]

Do you think that Anvir can be used instead SUS (Startup Sentinel?) with this options enabled (picture)?

View attachment 115828

Yes, I have used that in the past also. Anvir vs SuS, Anvir has some overhead as alternative task manager, In the past I noticed that Anvir seems to poll (does not prevent but detects changes), don't know about current Anvir protection mechanism. I would say when you already use Anvir or Winpatrol, keep using them, otherwise choose SuS

 

[Windows_Security]

Windows_Security
Great post

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"DefaultLevel"=dword:00020000

What is the meaning of 00020000 value? The standard values are 00000000 (default deny) and 00040000 (default allow).

That is the Basic User value which combined with the Symantec MSI tweak, makes it so easy to use when running as Administrator.

Behaviour of Basic User default value

• Unelevated processes running Medium or lower Integrity level are blocked by SRP when you try to run them in user space.
  
  
• Elevated processes are alllowed to run. You can manually elevate a process by right clicking it and Run as Administrator (e.g. when you want to install a new program). All programs in Windows and Program Files folders need to elevate to be able to change UAC protected folders (hence all auto-updates will be allowed from programs in UAC protected folders).

 

[Windows_Security]

Dealing with flash updates

Chrome sometimes updates Pepperflash to
C:\Users\[YOUR USERNAME]\AppData\Local\Google\Chrome\User Data\PepperFlash\[VERSION OF FLASH]\

Just cut all files from the folder with the name of the flash version and past them to
C:\Program Files\Google\Chrome\Application\[VERSION OF CHROME]\PepperFlash\

Delete the flashversion folder in AppData. Now Chrome will use the updated flsah from Program Files

 

[Windows_Security]

I thought software restriction policies adopted by software like cryptoprevent were no longer effective?

True, but with Cryptoprevent SRP default level is unrestricted (as explained by Andy Ful), this registry tweak sets default level to Basic User (which blocks all unelevated processes trying to run in user folders).

 

[LabZero]

First create a restore point before applying any of the tweaks mentioned in this post

Good recommendation to create a restore point because when you add/modify registry values, it is nearly impossible to get back.
If the registry is corrupted, Windows may not work correctly.
The backup of the registry is already automatically included in the system restore points, but if something goes wrong with the restore points then before it is useful (or more convenient) to perform a manual backup of the registry.

https://support.microsoft.com/en-us/kb/322756

 

[Andy Ful]

Windows_Security

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"DefaultLevel"=dword:00020000
"DefaultLevel"=dword:00000000

Both values are for default deny SRP. The only difference I noticed is when You remove BAT, CMD, JS, JSE, VBS, VBE, WSH extensions from SRP protected extensions list in :
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes

If "DefaultLevel"=dword:00000000 then removed extensions are still protected by SRP, but at the later stage (when script interpreters try to find and run files).
If "DefaultLevel"=dword:00020000, scripts are not protected after extensions removal. They are protected only if the script extensions are on the list.
I found out this by accident while testing "Run As Smartscreen", because I use SRP with "DefaultLevel"=dword:00000000 and had to remove script extensions to make it working.

I confirmed that now, in Windows 10 Pro, choosing Basic User gives "DefaultLevel"=dword:00020000 .
I was confused because in Lucy's post and some technet articles "DefaultLevel"=dword:00000000 had been used.

http://www.wilderssecurity.com/thre...p-under-lua-whatever-the-win7-version.262686/
Using Software Restriction Policies to Protect Against Unauthorized Software

 

[Windows_Security]

@Andy Ful;
With PRO versions one easily adopt SRP-rules, so your Smartscreen alternative to VS is useful.

On Home versions you don't have gepedit or secpol, so VS is a better solution because it blocks dangerous command lines (meaning minimal and static SRP rules) and when you drop an executable on the VS gadget/icon it checks that executable at VT (with 57 AV-engines)

 

[Andy Ful]

@Windows_Security

I noticed something strange. In Widows 10 Pro I can setup SRP through secpol.msc and choose "BASIC USER", so indeed the value of "DefaultLevel"=dword:00020000 is written to the Registry. It is OK. Yet, the behavior of SRP is different. I can run programs in the User Space that do not require elevation! Programs with elevation are blocked.
If I choose in secpol "DISALLOWED" then the value of "DefaultLevel"=dword:00000000 is written to the Registry, and SRP works as default deny like in Your Windows Home setup.
Is it possible to confirm this on one of Yours machines? If so, maybe it would be better to change DefaultLevel value from 00020000 to 00000000 to avoid misconception.

There is one little mistake on the list of SRP protected files:
there is 'WSF should be WSF .

I also tested Your SRP for Windows Home on my machine (Win 10 Pro 64Bit) and it works well

 

[Windows_Security]

Basic User works simular to default deny with the exception it allows MSI files to install and you don't need to remove the LNK.

Forgot to tell: you also need to elevate to admin to perform administrative tasks, so go to control panel, administrative tools and choose Run as administrator to run Computer Management and Disk Manager for example, see pic.

 

[Andy Ful]

If someone is interested in GUI to configure SRP in Windows Home, then can look here:
Hard_Configurator - Windows Hardening Configurator
It works for Windows 8+ (the minor bug actually prevents it to start in previous versions).
Soon, there will be published the new version for Windows Vista+ with some additional options.

 

[Andy Ful]

Some ideas from this thread were adopted in Hard_Configurator code. Thanks @Windows_Security.

 

[Windows_Security]

@Andy Ful compliments, great initiative, well done