Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

@aftech,​

What does the content of the registry keys below look like on your computer?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Protected

 

[Parkinsond]

I use the fresh updated Windows 11 24H2 (Pro and Home editions) build 26100.3915.
After the Windows restart, the tweak is removed - the registry key is set to 0, and the SAC OFF setting is recovered in the Security Center.
It seems that in Windows 11 IoT Enterprise LTSC, the tweak can work differently.

No; it was just as you mentioned exactly, until few days ago.
I suspect something changed with the updates.
Personally, I was surprised it worked!
I would like to express my gratitude for your generous security software and knowledge you are spreading; most of my cybersecurity background was adopted from your posts.

 

[Parkinsond]

@aftech,​

What does the content of the registry keys below look like on your computer?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Protected

 

[rashmi]

It is rather clear. When pressing the <PowerShell> button, you will see some events blocked by PowerShell Constrained Language Mode and others blocked by the Windows Policy that prevents running PS1 scripts (see option <1> on the picture below):

View attachment 288350

If you do not block PS1 scripts, those scripts are still restricted by Constrained Language Mode (SRP restriction in SWH). However, you can whitelist PS1 scripts to avoid Constrained Language Mode restrictions.
If you choose blocking PS1 scripts by option <1>, all PS1 scripts are blocked (even system scripts). You can only run PowerShell CMDLines (still restricted by Constrained Language Mode) embedded in executables, shortcuts, batch scripts, VBS scripts, etc..

If I'm correct, the SWH default for PowerShell Restrictions is Option 1. The info for PowerShell Restrictions in the SWH menu changes when I select other options or Not Configured.

I don't know if my question is stupid or I'm reading the "The files blocked in this category cannot be whitelisted" info wrongly. Does this info mean if I see blocks in the PowerShell logs, I cannot whitelist those blocks like I can for the SRP blocks?

 

[rashmi]

Clean install is not necessary.
Just navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
and change the value of "VerifiedAndReputablePolicyState" from 0 to 1
I can switch off and on SAC this way.

I had turned off SAC through Windows Security. The reg tweak works here, and I could turn on SAC. I restarted the system, checked Windows Security, and SAC is on.

Edition: Windows 11 Pro
Version: 24H2
Installed on: 3/‎29/‎2025
OS build: 26100.3775
Experience: Windows Feature Experience Pack 1000.26100.66.0

 

[Andy Ful]

If I'm correct, the SWH default for PowerShell Restrictions is Option 1. The info for PowerShell Restrictions in the SWH menu changes when I select other options or Not Configured.

Yes.

Does this info mean if I see blocks in the PowerShell logs, I cannot whitelist those blocks like I can for the SRP blocks?

Yes and No. The blocks related to PowerShell Constrained Language Mode can be avoided by adding the path of PS1 script to the SWH whitelist.
Your questions follow from the fact that you do not know how Constrained Language Mode works. Please look here:

Guide | How To - How do you secure PowerShell?

I noticed that many users are interested in securing Windows Home from PowerShell attacks. There are a few ways to do it, using GPO, reg tweaks or SRP. A. Disabling PowerShell script execution by reg tweak (Windows 7+): [HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell]...

malwaretips.com

Microsoft introduced several ways of restricting PowerShell. Some of them are integrated with Software Restriction Policies/AppLocker/WDAC and can be whitelisted. Others can only be Enabled/Disabled(Audited).

 

[rashmi]

I can use Run by SmartScreen if WDAC blocks an app. Is it possible WDAC allows an app, but Run by SmartScreen may block it or find it unsafe?

 

[Andy Ful]

I can use Run by SmartScreen if WDAC blocks an app. Is it possible WDAC allows an app, but Run by SmartScreen may block it or find it unsafe?

Yes (rarely). I do not recommend ignoring SmartScreen alerts.

 

[Andy Ful]

I had turned off SAC through Windows Security. The reg tweak works here, and I could turn on SAC. I restarted the system, checked Windows Security, and SAC is on.

Edition: Windows 11 Pro
Version: 24H2
Installed on: 3/‎29/‎2025
OS build: 26100.3775
Experience: Windows Feature Experience Pack 1000.26100.66.0

Could you repeat this exactly as follows:

1. Turn OFF SAC in the Security Center.
2. Restart Windows.
3. Check if SAC is OFF and use the reg tweak to turn it ON.
4. Restart Windows.
5. Check the SAC in the Security Center.

Do it in the Virtual Machine, because there is a possibility that SAC will be permanently OFF (like on my machines).

 

[rashmi]

Yes and No. The blocks related to PowerShell Constrained Language Mode can be avoided by adding the path of PS1 script to the SWH whitelist.

I understand that; the help file mentions "except for files restricted by Constrained Language Mode." I meant the "yes" part. Can you explain it a bit?

 

[rashmi]

Could you repeat this exactly as follows:

1. Turn OFF SAC in the Security Center.
2. Restart Windows.
3. Check if SAC is OFF and use the reg tweak to turn it ON.
4. Restart Windows.
5. Check the SAC in the Security Center.

Do it in the Virtual Machine, because there is a possibility that SAC will be permanently OFF (like on my machines).

I turned off SAC when I installed WHHLight, and that was a few days back. I shut down the system every day.

 

[Andy Ful]

I understand that; the help file mentions "except for files restricted by Constrained Language Mode." I meant the "yes" part. Can you explain it a bit?

I can, but first, look here:

Guide | How To - How do you secure PowerShell?

I noticed that many users are interested in securing Windows Home from PowerShell attacks. There are a few ways to do it, using GPO, reg tweaks or SRP. A. Disabling PowerShell script execution by reg tweak (Windows 7+): [HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell]...

malwaretips.com

I do not know what you know about Windows built-in PowerShell security mitigations. So, we could talk in different languages.

 

[Andy Ful]

@aftech, @rashmi
I found some differences in the Registry content.

The reg tweak changes the value of VerifiedAndReputablePolicyState in the reg key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy

It seems that this works if the value of VerifiedAndReputablePolicyStateMinValueSeen is set to 1 in another key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Protected

On my machine, the value of VerifiedAndReputablePolicyStateMinValueSeen is set to 0 and protected by the system (cannot be changed manually).
So, Windows does not change the SAC to ON.

 

[rashmi]

I can, but first, look here:

Guide | How To - How do you secure PowerShell?

I noticed that many users are interested in securing Windows Home from PowerShell attacks. There are a few ways to do it, using GPO, reg tweaks or SRP. A. Disabling PowerShell script execution by reg tweak (Windows 7+): [HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell]...

malwaretips.com

I do not know what you know about Windows built-in PowerShell security mitigations. So, we could talk in different languages.

I lack detailed knowledge of exploitable processes; I believe my question or its answer doesn't require security mitigation expertise. Perhaps I didn't explain my question well enough. I'll attempt to explain it in the clearest way I can.

 

[rashmi]

@aftech, @rashmi
I found some differences in the Registry content.

The reg tweak changes the value of VerifiedAndReputablePolicyState in the reg key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy

It seems that this works if the value of VerifiedAndReputablePolicyStateMinValueSeen is set to 1 in another key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Protected

On my machine, the value of VerifiedAndReputablePolicyStateMinValueSeen is set to 0 and protected by the system (cannot be changed manually).
So, Windows does not change the SAC to ON.

View attachment 288356

I have SAC turned off, and the value of VerifiedAndReputablePolicyStateMinValueSeen is 1. I also cannot change the value to 0; it throws an error.

Update: I didn't restart the system after turning SAC off. After restarting the system, the value of VerifiedAndReputablePolicyStateMinValueSeen is 0.

Update: I cannot turn SAC on now. I change the value in the "Policy" key to 1. Windows Security confirms SAC is on, but after a system restart, it shows SAC is off. The value in the "Policy" key is back to 0. I cannot change the value in the "Protected" key to 1.

 

[Andy Ful]

I have SAC turned off, and the value of VerifiedAndReputablePolicyStateMinValueSeen is 1. I also cannot change the value to 0; it throws an error.

Update: I didn't restart the system after turning SAC off. After restarting the system, the value of VerifiedAndReputablePolicyStateMinValueSeen is 0.

Update: I cannot turn SAC on now. I change the value in the "Policy" key to 1. Windows Security confirms SAC is on, but after a system restart, it shows SAC is off. The value in the "Policy" key is back to 0. I cannot change the value in the "Protected" key to 1.

As I expected, the Security Center is fooled on our machines by this reg tweak to show that SAC is ON (until Windows restart), but actually it is not.
Slightly more advanced reg tweaks worked a few years ago (see my post below):
https://malwaretips.com/threads/win...tware-restriction-policies.61871/post-1006923

But if I correctly remember, those tweaks also stopped working on Windows Home and Pro in the year 2023.

 

[rashmi]

As I expected, the Security Center is fooled on our machines by this reg tweak to show that SAC is ON (until Windows restart), but actually it is not.
Slightly more advanced reg tweaks worked a few years ago (see my post below):
https://malwaretips.com/threads/win...tware-restriction-policies.61871/post-1006923

But if I correctly remember, those tweaks also stopped working on Windows Home and Pro in the year 2023.

I turned SAC off a few days back. Today, I could turn SAC on with the reg tweak at least once, i.e., it was on after a system restart. I couldn't turn SAC on after turning it off again.

I reverted to a clean system image when SAC was on evaluation mode. I turned SAC off, restarted the system, turned SAC on, restarted the system, and checked Windows Security; SAC was off.

 

[rashmi]

I enabled "send optional data" in settings and tried the reg tweak to turn SAC on. After a system restart, SAC was off, and the optional data setting also turned off.

@Andy Ful, I've configured Windows Update to "notify and download." Windows Update occasionally notifies me of Defender updates. Some Defender updates rely on Windows Update, according to Microsoft Copilot. It says if you enable the "Allow security intelligence updates from Microsoft Update" group policy setting, Defender will update separately from Windows Update. It would affect ConfigureDefender/WHHLight configurations, right?

 

[Andy Ful]

It says if you enable the "Allow security intelligence updates from Microsoft Update" group policy setting, Defender will update separately from Windows Update. It would affect ConfigureDefender/WHHLight configurations, right?

I do not think so.
ConfigureDefender settings are unrelated to Microsoft Defender updates.

 

[rashmi]

I do not think so.
ConfigureDefender settings are unrelated to Microsoft Defender updates.

I vaguely recall seeing something about avoiding group policy configuration in forum threads or help files. Can I set up group policy while using WHHLight (SWH, SS, WDAC, CD, FH, DAE) on the system?