Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[rashmi]

What about the MD logs? Why the different configurations with network protection "ON" on both systems? SSD network inspection: 1 and HDD network inspection: 0 (updated time).

 

[Andy Ful]

What about the MD logs? Why the different configurations with network protection "ON" on both systems? SSD network inspection: 1 and HDD network inspection: 0 (updated time).

ConfigureDefender does not change the Network Inspection System (NIS) settings. It changes NetworkProtection settings. The current NIS settings can be inspected via <Info about Defender>:

 

[rashmi]

ConfigureDefender does not change the Network Inspection System (NIS) settings. It changes NetworkProtection settings. The current NIS settings can be inspected via <Info about Defender>:

View attachment 287787

I thought the ConfigureDefender log contains only CD-related data.

 

[Andy Ful]

I thought the ConfigureDefender log contains only CD-related data.

They are CD-related.
Although some info is only Defender-related.

 

[rashmi]

@Andy Ful, If I use Smart App Control, would you recommend any of your tools?

 

[Andy Ful]

@Andy Ful, If I use Smart App Control, would you recommend any of your tools?

It is hard to recommend a solution to security-oriented guys.
The first problem is whether you can live with your current setup (SAC enabled).
The default Windows 11 built-in setup + SAC + Core Isolation + slightly hardened Edge and Firewall is enough for most people.
There are many possible ways to make this setup stronger, but then you are trying to fight the malware that will probably never attack your computer.

Here is a possible route, if you would like to test step by step the limits of your abilities:

1. FirewallHardening (Recommended H_C).
2. FirewallHardening (Recommended H_C) + ConfigureDefender HIGH.
3. FirewallHardening (Recommended H_C) + ConfigureDefender HIGH + WHHLight (default SWH settings).
4. FirewallHardening (Recommended H_C) + ConfigureDefender MAX + WHHLight (default SWH settings).
5. etc. (additional tweaking, DocumentsAntiExploit).
6. Hard_Configurator

Hard_Configurator includes FirewallHardening, ConfigureDefender, and DocumentsAntiExploit. The Recommended Settings in Hard_Configurator + ConfigureDefender + FirewallHardening + DocumentsAntiExploit are probably the upper limit (still usable) for MT members.
Hard_Configurator can apply more restrictive setting profiles, but such restrictions are intended for special cases.

 

[oldschool]

It is hard to recommend a solution to security-oriented guys.
The first problem is whether you can live with your current setup (SAC enabled).

Indeed.

The default Windows 11 built-in setup + SAC + Core Isolation + slightly hardened Edge and Firewall is enough for most people.

Absolutely. And this might work for @rashmi if he uses only signed applications, doesn't run scripts downloaded from the internet, etc.

This is my setup ATM, except for SAC, but I'll enable it at next clean install.

 

[rashmi]

It is hard to recommend a solution to security-oriented guys.

Simple setup is my priority; I'm not overly concerned with security or privacy. I'm unaware of Smart App Control's full scope and whether it would benefit from pairing with your tools. I appreciate your help in making things clearer.

 

[Parkinsond]

Indeed.

Absolutely. And this might work for @rashmi if he uses only signed applications, doesn't run scripts downloaded from the internet, etc.

This is my setup ATM, except for SAC, but I'll enable it at next clean install.

Clean install is not necessary.
Just navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
and change the value of "VerifiedAndReputablePolicyState" from 0 to 1
I can switch off and on SAC this way.

 

[Andy Ful]

Clean install is not necessary.
Just navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
and change the value of "VerifiedAndReputablePolicyState" from 0 to 1
I can switch off and on SAC this way.

This tweak worked a few years ago, but does not work anymore. If SAC is disabled (without this tweak), you can use the tweak and SAC will look at Security Center as switched ON (but SAC does not work). After restarting Windows, the SAC is switched OFF again.

 

[Parkinsond]

This tweak worked a few years ago, but does not work anymore. If SAC is disabled (without this tweak), you can use the tweak and SAC will look at Security Center as switched ON (but SAC does not work). After restarting Windows, the SAC is switched OFF again.

True; this was the situation a while ago.
Surprisingly, it worked when tried again yesterday.
Turned off SAC from security center, and turned it back on using this registry modification.

 

[rashmi]

What's the workaround for (SWH) PowerShell's app/installation blocking when whitelisting isn't an option? Does turning SWH off, running the app/installation, and then turning it on again permanently allow the app/script?

 

[Andy Ful]

True; this was the situation a while ago.
Surprisingly, it worked when tried again yesterday.
Turned off SAC from security center, and turned it back on using this registry modification.

Did you restart Windows after switching OFF SAC and then again after the tweak? Is SAC still ON?

 

[Andy Ful]

What's the workaround for (SWH) PowerShell's app/installation blocking when whitelisting isn't an option? Does turning SWH off, running the app/installation, and then turning it on again permanently allow the app/script?

I do not understand you.
Which point is unclear to you?

You do not need to switch OFF SWH to allow running PS1 scripts or allow PowerShell CMDLines.
If you switch SWH OFF, the SWH restrictions are also switched OFF.
Did you read the SWH help (press the SWH green button)?

 

[Parkinsond]

Did you restart Windows after switching OFF SAC and then again after the tweak? Is SAC still ON?

Yes; and tried it after re-enabling, it is working.
I am using Windows 11 Iot LTSC

 

[Andy Ful]

Yes; and tried it after re-enabling, it is working.
I am using Windows 11 Iot LTSC

Interesting. Is it version 24H2?

 

[rashmi]

I do not understand you.
Which point is unclear to you?

"Press <PowerShell> button to see the events blocked by Constrained Language Mode and events related to running PowerShell script files. The files blocked in this category cannot be whitelisted, except for files restricted by Constrained Language Mode."

What does the bold text above mean?

 

[Parkinsond]

Interesting. Is it version 24H2?

Yes; 26100.3775
Might me some Windows update changed the whole scenario.

 

[Andy Ful]

"Press <PowerShell> button to see the events blocked by Constrained Language Mode and events related to running PowerShell script files. The files blocked in this category cannot be whitelisted, except for files restricted by Constrained Language Mode."

What does the bold text above mean?

It is rather clear. When pressing the <PowerShell> button, you will see some events blocked by PowerShell Constrained Language Mode and others blocked by the Windows Policy that prevents running PS1 scripts (see option <1> on the picture below):

If you do not block PS1 scripts, those scripts are still restricted by Constrained Language Mode (SRP restriction in SWH). However, you can whitelist PS1 scripts to avoid Constrained Language Mode restrictions.
If you choose blocking PS1 scripts by option <1>, all PS1 scripts are blocked (even system scripts). You can only run PowerShell CMDLines (still restricted by Constrained Language Mode) embedded in executables, shortcuts, batch scripts, VBS scripts, etc..

 

[Andy Ful]

Yes; 26100.3775
Might me some Windows update changed the whole scenario.

I use the fresh updated Windows 11 24H2 (Pro and Home editions) build 26100.3915.
After the Windows restart, the tweak is removed - the registry key is set to 0, and the SAC OFF setting is recovered in the Security Center.
It seems that in Windows 11 IoT Enterprise LTSC, the tweak can work differently.