Advice Request Today I found many settings changed due to Windows Update. (Services, Network stuff...) Here's how I quickly change back to safety! :D

[Yellowing]

Hi
I hope this helps anyone.

I assume the settings changed due to a windows update, since the re-activated services were windows default ones. Those settings were things mentioned in the windows 10 hardening guide: Harden Windows 10 for Security. How to secure Windows 10.
Many were reverted for some reason. :emoji_clap: #microsoft

Services: I had to go through my services again, deactivating many, and that costs so much time everytime. :emoji_sob: So I searched for a way to save the current startup state of services. I found this pretty awesome little batch: Script to Backup Current Start State (Startup Type) of Windows Services - Tech Journey
Once configured it saves a billion hours until Microsoft decides to change the names of services again.
(... yes, there is BlackViper and such, but I was never able to use that to backup my services to a re-usable file. Also the standard settings are bad.)
I configured my services to disable many thing, so I'm not going to include the created batch file in here. It would just make problems for users who suddenly have no WLAN or WAN Miniports anymore.
However I am going to include a batch that deactivates those pesky user-services that are the doubles with that random string at the end! Without changing the registry it is impossible to get rid of them. So here is a batch that does just that.

reg add HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t REG_DWORD /d 4 /f
reg add HKLM\System\CurrentControlSet\Services\CDPUserSvc /v Start /t REG_DWORD /d 4 /f
reg add HKLM\System\CurrentControlSet\Services\OneSyncSvc /v Start /t REG_DWORD /d 4 /f
reg add HKLM\System\CurrentControlSet\Services\UnistoreSvc /v Start /t REG_DWORD /d 4 /f
reg add HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc /v Start /t REG_DWORD /d 4 /f
reg add HKLM\System\CurrentControlSet\Services\UserDataSvc /v Start /t REG_DWORD /d 4 /f
PAUSE

It fully deactivates them and after the next restart they are no longer running.

Network and other stuff: I combined many settings from the hardening guide into one batch file. I just had to run it. Convienent! Here it is! (It also includes "Enable LSASS as protected service" which is not in the guide, but pretty good.)
Ignore the "@echo on" and "off's" They're just there so that the console output looks good.

@echo off
echo.
echo.
echo ===============================================================================
echo Several settings are going to get changed.
echo Please run this file as Administrator!
echo.
echo.
pause

echo.
echo ===============================================================================
echo Disable IGMP
@echo on
Netsh interface ipv4 set global mldlevel=none
@echo off

echo.
echo -------------------------------------------------------------------------------
echo Disable IPv6
@echo on
reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0xFF /f
@echo off

echo.
echo -------------------------------------------------------------------------------
echo Disable UPnP
@echo on
reg add HKLM\SOFTWARE\Microsoft\DirectplayNATHelp\DPNHUPnP /v UPnPMode /t REG_DWORD /d 2 /f
@echo off

echo.
echo -------------------------------------------------------------------------------
echo Forbid sending user information to microsoft
@echo on
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection /v AllowTelemetry /t REG_DWORD /d 0 /f
@echo off

echo.
echo -------------------------------------------------------------------------------
echo Enable lsass as protected service
@echo on
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f
@echo off

echo.
echo.
echo.
echo ===============================================================================
echo Set inconvenient but secure Log-On procedures? (Read file for info)
echo.
echo.
set ask=0
set /p ask="(y)es/(n)o: "

if %ask%==yes goto CREATE
if %ask%==no goto END
if %ask%==y goto CREATE
if %ask%==n goto END
goto END

:CREATE
echo.
echo -------------------------------------------------------------------------------
echo Enable Secure Sign in screen with (Ctrl + Alt + Del)
@echo on
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /t REG_DWORD /d 0 /f
reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCAD /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCAD /f
@echo off

echo.
echo -------------------------------------------------------------------------------
echo Ask for user name and password at log on screen
@echo on
reg add HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 1 /f
@echo off
echo.
echo.

:END
echo --------------------------------------------------------------------------------
echo -----------------------------------All done!------------------------------------
echo --------------------------------------------------------------------------------
Pause

Then run NoVirusThanks SysHardener: Because, why not? Here is my configuration. Save it as an ".ini" file. It shouldn't be much problematic for anyone, but differs from the standard recommended settings in order to increase security.
You can take a look at what they do before applying them in the program. (Load settings)

[Settings]
CheckBox1=1
CheckBox2=1
CheckBox3=0
CheckBox4=1
CheckBox5=1
CheckBox6=1
CheckBox7=1
CheckBox11=1
CheckBox12=1
CheckBox13=1
CheckBox15=1
CheckBox17=1
CheckBox18=1
CheckBox19=1
CheckBox20=1
CheckBox21=1
CheckBox22=1
CheckBox23=1
CheckBox24=1
CheckBox26=1
CheckBox27=1
CheckBox28=1
CheckBox29=1
CheckBox30=1
CheckBox34=1
CheckBox36=1
CheckBox37=1
CheckBox38=1
CheckBox39=1
CheckBox40=1
CheckBox41=1
CheckBox42=0
CheckBox43=1
CheckBox44=1
CheckBox45=1
CheckBox46=1
CheckBox47=1
CheckBox48=1
CheckBox49=1
CheckBox51=1
CheckBox25=1
CheckBox33=0
CheckBox52=1
CheckBox53=1
CheckBox54=1
CheckBox55=1
CheckBox56=1
CheckBox57=1
CheckBox58=1
CheckBox59=1
CheckBox60=1
CheckBox61=1
CheckBox62=1
CheckBox8=1
CheckBox35=1
CheckBox63=1
CheckBox64=1
CheckBox65=1
CheckBox66=1
CheckBox67=1
CheckBox68=1
CheckBox69=1
CheckBox70=1
CheckBox71=1
CheckBox72=1
CheckBox73=1
CheckBox74=1
CheckBox75=0
CheckBox76=0
CheckBox77=0
CheckBox14=1
CheckBox16=0
CheckBox78=1
CheckBox31=1
CheckBox32=1
CheckBox79=1
CheckBox80=1
CheckBox81=1
CheckBox82=1
CheckBox83=1
CheckBox9=0
CheckBox10=0
CheckBox50=0
CheckBox84=0
CheckBox85=1
CheckBox86=0
CheckBox87=0
CheckBox88=0
RadioButton1=0
RadioButton2=0
RadioButton3=0
RadioButton4=0
RadioButton5=0
RadioButton6=1
CheckBox89=0
CheckBox90=0
RadioButton7=0
RadioButton8=0
RadioButton9=1
CheckBox91=1
CheckBox92=0
CheckBox93=1
CheckBox94=1
CheckBox95=1
CheckBox96=0
RadioButton10=1
RadioButton11=0
RadioButton12=0
RadioButton13=0
RadioButton14=0
RadioButton15=0
CheckBox97=1
CheckBox98=1
CheckBox99=1
CheckBox100=1
CheckBox101=1
CheckBox102=1
CheckBox103=1
CheckBox104=1
CheckBox105=1
CheckBox106=1
CheckBox107=1
CheckBox108=1
CheckBox109=0
CheckBox110=0
CheckBox111=1
CheckBox112=1
CheckBox113=1
CheckBox114=1
CheckBox115=0
CheckBox116=1
CheckBox117=1
CheckBox118=1
CheckBox119=1
CheckBox120=1
CheckBox121=1
CheckBox122=0
CheckBox123=1
CheckBox124=1
CheckBox125=1
CheckBox126=0
CheckBox127=1
CheckBox128=1
CheckBox129=1
CheckBox130=1
CheckBox131=1

I've also found Distributed COM to be enabled again. So remove this: Connection oriented TCP/IP from DCOM protocols.
It is found under: Start button > All apps > Windows Administrative tools > Component Services. Computer Servies > Computers > right click on My Computer; choose Properties. Go to Default Protocols tab.
Thank you, windows-hardening-guy!
I don't think you can change or delete that with commands or registry. But if you know, please tell me so that I can add it to my batch.



Of course, in order to get rid of these problems, you could use the group-policy editor in order to prohibit any automatic windows updates in conjunction with the "wushowhide.diagcab" that lets you choose updates to stop them from ever happening (How to Block Windows 10 Updates - All things technical - tips & tricks), but looking through the update description is more of a hassle than creating these few files here, I would say.

Have fun!

 

[HarborFront]

IMO, just harden some Windows settings for security/privacy will do. Even if you are paranoid in security/privacy and apply all the tricks from the net MS will find some ways to bypass them and with each MS update some settings will be reverted again.

So, don't waste so much time in wanting to achieve extreme security/privacy with Windows OS. If you want true anonymity, security and privacy then use Whonix + Qubes + Tor

 

[Sunshine-boy]

I found the same which is why I stop updating my windows! if you remove the registry keys related to that service windows cant revert them.

 

[Yellowing]

Doing these things will literally take a minute, HarborFront. who cares if they get changed again? That's why I made this thread.

I thought windows just creates the key again if they are missing, Sunshine-boy. Are you sure?

 

[Ink]

I found the same which is why I stop updating my windows! if you remove the registry keys related to that service windows cant revert them.

You may as well use an Unsupported version of Windows. No features, no performance issues, no updates.

Not updating is bad practice.

 

[Sunshine-boy]

Bad practice but it Makes my Life Easier.i don't want unsupported versions! they make my life harder : )