diff --git a/.github/ISSUE_TEMPLATE/1-bug-report-scripts.yaml b/.github/ISSUE_TEMPLATE/1-bug-report-scripts.yaml index 77fde0d47..c71af8577 100644 --- a/.github/ISSUE_TEMPLATE/1-bug-report-scripts.yaml +++ b/.github/ISSUE_TEMPLATE/1-bug-report-scripts.yaml @@ -44,7 +44,7 @@ body: - On macOS: Open "Apple menu (top left corner)" > "About This Mac". - On Linux: Open terminal > type: lsb_release -a > copy paste the result. placeholder: >- - For example: "Windows 11 Pro 22H3" + For example: "Windows 11 Pro 23H2" validations: required: false - diff --git a/SECURITY.md b/SECURITY.md index 1ce2efeac..766996d84 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -37,7 +37,7 @@ privacy.sexy adopts a defense in depth strategy to protect users on multiple lay - **Auditing and Transparency:** The desktop application improves security and transparency by logging application activities and retaining files of executed scripts This facilitates detailed auditability and effective troubleshooting, contributing to the integrity and reliability of the application. - Recognizing that some users prefer not to keep these records, privacy.sexy provides specialized scripts for deletion of these logs. + Recognizing that some users prefer not to keep these logs, privacy.sexy provides specialized scripts for deletion of them. - **Privilege Management:** The desktop application operates without persistent administrative or `sudo` privileges, reinforcing its security posture. It requests elevation of privileges for system modifications with explicit user consent and logs every action taken with high privileges. This @@ -52,7 +52,7 @@ privacy.sexy adopts a defense in depth strategy to protect users on multiple lay of authentic scripts. This safeguards against any unwanted modifications. - **Clean-up:** - Recognizing that some users prefer not to keep these records, privacy.sexy provides specialized scripts for deletion of these scripts. + Recognizing that some users prefer not to keep these scripts, privacy.sexy provides specialized scripts for deletion of them. This allows users to maintain their privacy by removing traces of their usage patterns or script preferences. ### Update Security and Integrity diff --git a/src/application/collections/macos.yaml b/src/application/collections/macos.yaml index 93ed1d209..eb3ad1974 100644 --- a/src/application/collections/macos.yaml +++ b/src/application/collections/macos.yaml @@ -510,7 +510,7 @@ actions: code: rm -rfv ~/Library/Caches/Metadata/Safari/History - name: Clear search term history embedded in Safari preferences - docs: https://krypted.com/tag/recentsearchstrings/ + docs: https://web.archive.org/web/20241001141605/https://krypted.com/mac-os-x/clearing-recent-searches-in-safari-4/ code: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )' - name: Clear Safari cookies diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index ba5b02c30..14d510adc 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -632,7 +632,7 @@ actions: - Searching for **Run** in the **Start Menu** [1] [2] - Running specific commands: - `explorer shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}` [4] - - `WINDIR%\System32\rundll32.exe shell32.dll,#61` [4] + - `SYSTEMROOT%\System32\rundll32.exe shell32.dll,#61` [4] Keeping this data poses privacy and security risks: @@ -1357,8 +1357,8 @@ actions: recommend: standard docs: - https://en.wikipedia.org/wiki/Temporary_Internet_Files - - https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files - - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache + - https://web.archive.org/web/20241202094338/https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files + - https://web.archive.org/web/20241202094003/https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache call: - function: ClearDirectoryContents @@ -1400,7 +1400,7 @@ actions: docs: - https://web.archive.org/web/20240314130055/https://learn.microsoft.com/en-us/windows/win32/wininet/managing-cookies - https://web.archive.org/web/20240314130046/https://learn.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs - - https://www.thewindowsclub.com/cookies-folder-location-windows + - https://web.archive.org/web/20241202094114/https://www.thewindowsclub.com/cookies-folder-location-windows call: - function: ClearDirectoryContents @@ -1658,7 +1658,7 @@ actions: name: Clear temporary system folder recommend: standard docs: |- - This script eliminates the contents of the `%WINDIR%\Temp\` directory, also known as the Windows Temp directory [1]. + This script eliminates the contents of the `%SYSTEMROOT%\Temp\` directory, also known as the Windows Temp directory [1]. This directory is located within the Windows system folder `%SystemDrive%\Windows\Temp\` [1] [2]. It is used by the system and system-level processes to store temporary files, including those generated by the operating system and other system-level software. @@ -1671,7 +1671,7 @@ actions: Microsoft underscores the importance of cleaning this folder to free up disk space [7], resolve system application issues [1] [8] [9], and counteract malware [2]. Some system applications may populate this folder, taking up considerable disk space [7] [9] [10]. - This script only deletes the contents of the `%WINDIR%\Temp\` directory, not the directory itself, to maintain system integrity, + This script only deletes the contents of the `%SYSTEMROOT%\Temp\` directory, not the directory itself, to maintain system integrity, security, and privacy, avoiding potential issues caused by unintentional directory deletion without proper ACL. Deleting the directory itself might disrupt certain applications, such as `dism` [11], and application installers [12], while also removing the special ACL that secures the folder. @@ -1691,7 +1691,7 @@ actions: call: function: ClearDirectoryContents parameters: - directoryGlob: '%WINDIR%\Temp' + directoryGlob: '%SYSTEMROOT%\Temp' - name: Clear temporary user folder recommend: standard @@ -1728,7 +1728,7 @@ actions: name: Clear prefetch folder recommend: standard docs: |- - This script deletes the contents of `%WINDIR%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2]. + This script deletes the contents of `%SYSTEMROOT%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2]. **What is Prefetch?** @@ -1766,7 +1766,7 @@ actions: call: function: ClearDirectoryContents parameters: - directoryGlob: '%WINDIR%\Prefetch' + directoryGlob: '%SYSTEMROOT%\Prefetch' - category: Clear Windows log and caches children: @@ -2331,7 +2331,7 @@ actions: - function: DeleteFiles parameters: - fileGlob: '%WINDIR%\System32\sru\SRUDB.dat' + fileGlob: '%SYSTEMROOT%\System32\sru\SRUDB.dat' grantPermissions: 'true' - function: StartService @@ -3790,7 +3790,7 @@ actions: However, it is automatically enabled by the **Diagnostic Policy Service** when a S.M.A.R.T. fault is detected [1]. - It runs `%SYSTEMROOT%\Windows\System32\DFDWiz.exe` [1] [2]. + It runs `%SYSTEMROOT%\System32\DFDWiz.exe` [1] [2]. This executable is known as "Windows Disk Diagnostic User Resolver" [1] [2]. Disabling this task enhances privacy by preventing the collection and display of @@ -3812,7 +3812,7 @@ actions: | Windows 10 21H2 | πŸ”΄ Disabled | | Windows 10 22H2 | πŸ”΄ Disabled | | Windows 11 22H2 | πŸ”΄ Disabled | - | Windows 11 22H3 | πŸ”΄ Disabled | + | Windows 11 23H2 | πŸ”΄ Disabled | [1]: https://web.archive.org/web/20231215183637/http://windows.fyicenter.com/4258_Microsoft-Windows-DiskDiagnosticResolver_Scheduled_Task_on_Windows_7.html '"Microsoft-Windows-DiskDiagnosticResolver" Scheduled Task on Windows 7 | windows.fyicenter.com' [2]: https://web.archive.org/web/20231215183645/https://www.shouldiblockit.com/dfdwiz.exe-7565.aspx "dfdwiz.exe - Should I Block It? (Windows Disk Diagnostic User Resolver) | www.shouldiblockit.com" @@ -4021,7 +4021,7 @@ actions: The Citrix optimization guide recommends disabling this task to enhance operating system performance [5]. The task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant` [1] [2] [3] [4] [6] [7]. - It runs `%WINDIR%\System32\ceipdata.exe` [3] [6] [7]. + It runs `%SYSTEMROOT%\System32\ceipdata.exe` [3] [6] [7]. This task was originally introduced in Windows Server 2008 [2] [8]. Tests show this task is absent in modern Windows versions. @@ -4067,7 +4067,7 @@ actions: The Citrix optimization guide recommends disabling this task to boost system performance [5]. The task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector` [3] [4] [6] [7]. - It executes `%WINDIR%\System32\ceiprole.exe` [3] [6] [7]. + It executes `%SYSTEMROOT%\System32\ceiprole.exe` [3] [6] [7]. This process is named "Windows Server Role Collector" [6] [8]. This task was originally introduced in Windows Server 2008 [4] [9]. @@ -4113,7 +4113,7 @@ actions: functions for users and other computers on a network [1]. This task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector` [2] [3] [4]. - The task runs `%WINDIR%\System32\ceipdata.exe -roleusage` [2] [3]. + The task runs `%SYSTEMROOT%\System32\ceipdata.exe -roleusage` [2] [3]. Microsoft describes `ceipdata.exe` as part of the "Windows Server Customer Experience Improvement Program" [3] [4] [5]. Disabling this task protects your privacy by stopping a CEIP data collection process. @@ -4257,7 +4257,7 @@ actions: `CompatTelRunner.exe` is known for high CPU [8], disk [8], and network usage [2], affecting system performance. Disabling it can therefore lead to better computer efficiency and enhanced privacy by reducing data transmission to Microsoft. - The `CompatTelRunner.exe` is located in the directory: `%WINDIR%\System32\CompatTelRunner.exe` [1]. + The `CompatTelRunner.exe` is located in the directory: `%SYSTEMROOT%\System32\CompatTelRunner.exe` [1]. This script specifically targets and disables it at this location. [1]: https://web.archive.org/web/20230928142052/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health "Monitor connection health - Configuration Manager | Microsoft Learn" @@ -4276,7 +4276,7 @@ actions: - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\CompatTelRunner.exe' + fileGlob: '%SYSTEMROOT%\System32\CompatTelRunner.exe' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - category: Disable background application compatibility checks (Application Experience scheduled tasks) @@ -4509,7 +4509,7 @@ actions: This script disables the "MareBackup" scheduled task. According to the Task Scheduler, this task gathers Win32 application data for backups. - It executes `%WINDIR%\System32\CompatTelRunner.exe`. + It executes `%SYSTEMROOT%\System32\CompatTelRunner.exe`. Although this task is intended for backup and system reliability, some users may prefer limiting the amount of data collected by Windows, thus enhancing their privacy. @@ -4949,7 +4949,7 @@ actions: This script disables the "Device" scheduled task. According to the Task Scheduler, this task triggers the execution of the - `%WINDIR%\System32\devicecensus.exe SystemCxt` command in Windows 10 and 11. + `%SYSTEMROOT%\System32\devicecensus.exe SystemCxt` command in Windows 10 and 11. This component collects device and configuration data, which is then sent to Microsoft [1]. By disabling this task, users can prevent this specific data collection process, enhancing their privacy. @@ -4977,7 +4977,7 @@ actions: This script disables the "Device User" scheduled task. According to the Task Scheduler, this task triggers the execution of the - `%WINDIR%\System32\devicecensus.exe UserCxt` command in Windows 10 and 11. + `%SYSTEMROOT%\System32\devicecensus.exe UserCxt` command in Windows 10 and 11. This component collects device and configuration data, which is then sent to Microsoft [1]. By disabling this task, users can prevent this specific data collection process, enhancing their privacy. @@ -5003,7 +5003,7 @@ actions: recommend: standard docs: |- This script prevents the execution of `devicecensus.exe`, also known as the "device and configuration data collection tool" [1]. - This tool is located at `%WINDIR%\System32\DeviceCensus.exe` [1] [2] and is responsible for gathering data used for compatibility updates [3]. + This tool is located at `%SYSTEMROOT%\System32\DeviceCensus.exe` [1] [2] and is responsible for gathering data used for compatibility updates [3]. Disabling this tool helps keeping the device's data private and preventing its usage for diagnostic collections or determining update applicability [1] [2] [3]. @@ -5144,8 +5144,8 @@ actions: business cloud [1]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" - [2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing" - [3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703 + [2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing | admx.help" + [3]: https://archive.ph/2024.12.02-094527/https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/update-management-for-windows-on-a-windows-365-cloud-pc/3452703 "Update Management for Windows on a Windows 365 Cloud PC | Microsoft Community Hub | techcommunity.microsoft.com" call: function: SetRegistryValue parameters: @@ -5246,7 +5246,7 @@ actions: valueName: AllowTelemetry dataType: REG_DWORD data: '0' - dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (β‰₯ 22H2) | `1` on Windows 11 Pro (β‰₯ 22H3) + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (β‰₯ 22H2) | `1` on Windows 11 Pro (β‰₯ 23H2) - function: SetRegistryValue # Using Group policy object (GPO) parameters: @@ -5369,7 +5369,7 @@ actions: [1]: https://web.archive.org/web/20231018135854/https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/windows-error-reporting-diagnostics-enablement-guidance "Windows Error Reporting and Windows diagnostics enablement guidance - Windows Client | Microsoft Learn" [2]: https://web.archive.org/web/20231018135903/https://learn.microsoft.com/en-us/windows/win32/wer/wer-settings "WER Settings - Win32 apps | Microsoft Learn" - [3]: https://web.archive.org/web/20231018135918/https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 "The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent. | stigviewer.com" + [3]: https://web.archive.org/web/20241001141010/https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 "The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent. | stigviewer.com" [4]: https://web.archive.org/web/20231018135930/https://batcmd.com/windows/10/services/wersvc/ "Windows Error Reporting Service - Windows 10 Service - batcmd.com" [5]: https://web.archive.org/web/20231019222221/https://batcmd.com/windows/10/services/wercplsupport/ "Problem Reports Control Panel Support - Windows 10 Service - batcmd.com" call: @@ -5406,7 +5406,7 @@ actions: valueName: DefaultConsent dataType: REG_DWORD data: '1' - dataOnRevert: '4' # Default value: `4` on Windows 10 Pro (β‰₯ 22H2) | `4` on Windows 11 Pro (β‰₯ 22H3) + dataOnRevert: '4' # Default value: `4` on Windows 10 Pro (β‰₯ 22H2) | `4` on Windows 11 Pro (β‰₯ 23H2) - function: SetRegistryValue parameters: @@ -5725,7 +5725,7 @@ actions: directed to `www.msftconnecttest.com` [2]. Passive probes assess connectivity by examining network traffic [1]. - The app's configuration, located in `%WINDIR%\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\AppxManifest.xml`, indicates + The app's configuration, located in `%SYSTEMROOT%\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\AppxManifest.xml`, indicates that it operates without a visible user interface and is not listed in the start menu or app list. Its primary function is to manage the maintenance of the NCSI component and communicate over the internet. This absence of a user interface can be confirmed by running `explorer.exe shell:appsFolder\NcsiUwpApp_8wekyb3d8bbwe!App`. @@ -8524,7 +8524,7 @@ actions: Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation. [1]: https://web.archive.org/web/20230922125001/https://download.microsoft.com/download/c/3/f/c3f8bd05-1743-4d7d-849c-c352b0f61835/office2010grouppolicyandoctsettings_reference.xls "ADMX, ADML, and ADM Settings - Download Center | microsoft.com" - [2]: https://web.archive.org/web/20230922125003/https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 "The Customer Experience Improvement Program for Office must be disabled. | stigviewer.com" + [2]: https://web.archive.org/web/20241001141030/https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 "The Customer Experience Improvement Program for Office must be disabled. | stigviewer.com" [3]: https://web.archive.org/web/20221205201409/https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_EnableCustomerExperienceImprovementProgram "Enable Customer Experience Improvement Program | admx.help" [4]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org" call: @@ -10869,7 +10869,7 @@ actions: [1]: https://web.archive.org/web/20240314100851/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/address-bar-settings-gp#configure-search-suggestions-in-address-bar "Microsoft Edge - Address bar group policies | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240624135139/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar "Configure search suggestions in Address bar | admx.help" - [3]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/configure-search-suggestions-in-address-bar "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240314125209/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#allowsearchsuggestionsinaddressbar "Browser Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#131-microsoft-edge-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" call: function: SetLegacyEdgePolicyViaRegistry @@ -15471,7 +15471,7 @@ actions: This reporting occurs even when the `DiagTrack` service is disabled [5]. - Users can verify the MSRT's reporting behavior by examining the log file at `%WINDIR%\debug\mrt.log` [5]. + Users can verify the MSRT's reporting behavior by examining the log file at `%SYSTEMROOT%\debug\mrt.log` [5]. This script configures `HKLM\SOFTWARE\Policies\Microsoft\MRT!DontReportInfectionInformation` registry key to halt this data sharing with Microsoft [3] [5] [6]. @@ -15876,80 +15876,81 @@ actions: - name: Disable Defender Antivirus boot driver docs: |- - This script disables the Windows Defender boot driver (`WdBoot`) to reduce system monitoring and enhance your privacy and control. + This script disables the Windows Defender boot driver (`WdBoot`) to reduce system monitoring and enhance your + privacy and control. This driver is also known as: - - Windows Defender Boot Driver [2] - - Microsoft Defender Antivirus Boot Driver [3] - - Early Launch Anti-malware (ELAM) boot driver [5] - - Windows Defender ELAM Driver [7] [10] - - Microsoft antimalware boot driver [9] - - Early Launch Antimalware (ELAM) driver [19] - - Microsoft introduced this driver as a security feature in Windows 8 [7]. - As a default component in Windows, the driver comes pre-installed with the operating system [2] [3] [10]. - The driver serves as an integral part of both **Defender Antivirus** [10] [11] [12] [15] [19] and **Defender for Endpoint** [11] [12] [19]. - It functions as a component of Microsoft's anti-tampering mechanism that supports third-party security products [18]. - - This driver starts before any other boot-start drivers begin running [6] [18] [19]. - It can also become operational through **Limited Periodic Scanning** [14]. - Once active, it assists the Windows kernel in determining whether other drivers are safe to run [19]. - - The driver supports **Early Launch Anti-malware (ELAM)** [10]. - **ELAM** is a feature that allows antimalware software to start before other third-party components [6]. - ELAM can load an anti-malware driver before other non-Microsoft boot drivers and applications [10]. - It protects the system by helping to preserve the chain of trust established by **Secure Boot** and **Trusted Boot** [10]. + - Windows Defender Boot Driver [1] + - Microsoft Defender Antivirus Boot Driver [2] + - Early Launch Anti-malware (ELAM) boot driver [3] + - Windows Defender ELAM Driver [4] [5] + - Microsoft antimalware boot driver [6] + - Early Launch Antimalware (ELAM) driver [7] + + Microsoft introduced this driver as a security feature in Windows 8 [4]. + As a default component in Windows, the driver comes pre-installed with the operating system [1] [2] [5]. + The driver serves as an integral part of both **Defender Antivirus** [5] [7] [8] [9] [10] and **Defender for Endpoint** [7] [8] [9]. + It functions as a component of Microsoft's anti-tampering mechanism that supports third-party security products [11]. + + This driver starts before any other boot-start drivers begin running [7] [11] [12]. + It can also become operational through **Limited Periodic Scanning** [13]. + Once active, it assists the Windows kernel in determining whether other drivers are safe to run [7]. + + The driver supports **Early Launch Anti-malware (ELAM)** [5]. + **ELAM** is a feature that allows antimalware software to start before other third-party components [12]. + ELAM can load an anti-malware driver before other non-Microsoft boot drivers and applications [5]. + It protects the system by helping to preserve the chain of trust established by **Secure Boot** and **Trusted Boot** [5]. ELAM works as follows: - - Antimalware drivers load first and can block unknown drivers from starting [6] - - ELAM examines every boot driver to check if it's on the list of trusted drivers [10] - - If a driver is not trusted, Windows will not load it [10] - - After boot drivers start and storage becomes available, antimalware software continues blocking malware [6] + - Antimalware drivers load first and can block unknown drivers from starting [12] + - ELAM examines every boot driver to check if it's on the list of trusted drivers [5] + - If a driver is not trusted, Windows will not load it [5] + - After boot drivers start and storage becomes available, antimalware software continues blocking malware [12] The driver monitors the Windows boot process by: - - Checking other drivers before they can start during Windows boot [7] [8] [10] [19] - - Verifying driver certificates and hashes against its database [5] [7] [8] [18] - - Managing a malware signature database [5] [6] [8] - - Monitoring and rolling back changes to Defender's main driver (`WdFilter.sys`) as temper protection [7] [5] [10] [18] - - Storing information for later analysis [7] [8] - - Notifying other components [5] [7] [10] like `WdFilter.sys` [5] [7] + - Checking other drivers before they can start during Windows boot [4] [5] [7] [14] + - Verifying driver certificates and hashes against its database [3] [4] [11] [14] + - Managing a malware signature database [3] [12] [14] + - Monitoring and rolling back changes to Defender's main driver (`WdFilter.sys`) as temper protection [3] [4] [5] [11] + - Storing information for later analysis [4] [14] + - Notifying other components [3] [4] [5] like `WdFilter.sys` [3] [4] This script improves privacy by: - Reduces system monitoring during boot - - Allows deeper system modifications [10] to increase privacy such as disabling Defender - - Prevents Microsoft from controlling which processes can run with antimalware protection [18] + - Allows deeper system modifications [5] to increase privacy such as disabling Defender + - Prevents Microsoft from controlling which processes can run with antimalware protection [11] This script may improve system performance by: - Improving boot time by removing additional verification steps - - Preventing system crashes (Blue Screen of Death) associated with this driver [4] [16] + - Preventing system crashes (Blue Screen of Death) associated with this driver [15] However, this script may reduce security in the following ways: - - Reducing protection against malicious boot drivers [10] - - Removing early-boot malware detection [6] [8] [18] - - Creating an unsupported system configuration [11] [12] that may cause stability issues [17] + - Reducing protection against malicious boot drivers [5] + - Removing early-boot malware detection [11] [12] [14] + - Creating an unsupported system configuration [8] [9] that may cause stability issues [16] > **Caution:** > Disabling this feature removes security checks during system startup, which could may malicious software to run during boot. ### Technical Details - This driver installs as part of the `Windows-Defender-Drivers` package [1]. + This driver installs as part of the `Windows-Defender-Drivers` package [17]. This script: - - Disables the `wdboot` service [2] [3] [11] [12] + - Disables the `wdboot` service [1] [2] [8] [9] - Removes driver files from: - - `%SYSTEMROOT%\System32\drivers\WdBoot.sys` [2] [3] [5] [8] [9] [13] [15] - - `C:\Windows\ELAMBKUP\WdBoot.sys` [19] - - Removes registry configuration at `HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch!BackupPath` [19] - - Deletes signature database at `%SYSTEMROOT%\System32\Config\elam` [8] + - `%SYSTEMROOT%\System32\drivers\WdBoot.sys` [1] [2] [3] [6] [10] [14] [18] + - `C:\Windows\ELAMBKUP\WdBoot.sys` [7] + - Removes registry configuration at `HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch!BackupPath` [7] + - Deletes signature database at `%SYSTEMROOT%\System32\Config\elam` [14] - On older systems, this driver file may be found at `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys` [13] [16] + On older systems, this driver file may be found at `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys` [15] [18] #### Overview of default service statuses @@ -15958,25 +15959,24 @@ actions: | Windows 10 (β‰₯ 22H2) | πŸ”΄ Stopped | Boot | | Windows 11 (β‰₯ 23H2) | πŸ”΄ Stopped | Boot | - [1]: https://archive.ph/2024.10.27-164219/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba Β· privacysexy-forks/nickel-x64 | github.com" - [2]: https://archive.ph/2024.10.27-165733/https://batcmd.com/windows/8/services/wdboot/ "Windows Defender Boot Driver - Windows 8 Service - batcmd.com | batcmd.com" - [3]: https://archive.ph/2024.10.27-165849/https://batcmd.com/windows/11/services/wdboot/ "Microsoft Defender Antivirus Boot Driver - Windows 11 Service - batcmd.com | batcmd.com" - [4]: https://answers.microsoft.com/ru-ru/windows/forum/all/%D0%BD%D0%B5/f15e0e1b-06be-45ce-a3f5-c0f63c6428d1 "НС запускаСтся Windows 10 ΠΈΠ·-Π·Π° wdboot.sys, ошибка 0x000007b - БообщСство Microsoft | answers.microsoft.com" - [5]: https://archive.ph/2024.10.27-165804/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/drivers/WdBoot.sys.strings "10_0_22622_601/C/Windows/System32/drivers/WdBoot.sys.strings at c598035e1a6627384d646140fe9e4d234b36b11d Β· privacysexy-forks/10_0_22622_601 | github.com" - [6]: https://archive.ph/2024.10.27-165810/https://learn.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware "Overview of Early Launch AntiMalware - Windows drivers | Microsoft Learn | learn.microsoft.com" - [7]: https://archive.ph/2024.10.27-165818/https://n4r1b.netlify.app/posts/2019/11/understanding-wdboot-windows-defender-elam/ "Understanding WdBoot (Windows Defender ELAM) :: Up is Down and Black is White β€” n4r1b | n4r1b.netlify.app" - [8]: https://web.archive.org/web/20230731224608/https://hal.science/hal-03088315/document "ELAM: The Windows Defender ELAM Driver | hal.science" - [9]: https://archive.ph/2024.10.27-165826/https://systemexplorer.net/file-database/file/wdboot-sys/15452761 "What is wdboot.sys from Microsoft Corporation? (id:15452761) | systemexplorer.net" - [10]: https://archive.ph/2024.10.27-170051/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices "Control the health of Windows devices | Microsoft Learn | learn.microsoft.com" - [11]: https://web.archive.org/web/20240717094647/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" - [12]: https://archive.ph/2024.10.27-165840/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating "Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" - [13]: https://archive.ph/2024.10.27-165848/https://learn.microsoft.com/en-us/azure/attestation/tpm-attestation-sample-policies "Examples of an Azure TPM Attestation policy | Microsoft Learn | learn.microsoft.com" - [14]: https://archive.ph/2024.10.27-165901/https://www.winhelponline.com/blog/windows-defender-running-alongside-antivirus-program-limited-periodic-scanning/ "Why Is Windows Defender Running Alongside my Antivirus Program? Β» Winhelponline | www.winhelponline.com" - [15]: https://archive.ph/2024.10.27-165901/https://learn.microsoft.com/en-us/archive/blogs/dubaisec/elam-driver "ELAM Driver | Microsoft Learn | learn.microsoft.com" - [16]: https://archive.ph/2024.10.27-165906/https://www.deploycentral.com/topic/1131-wdbootsys-bsod/ "WDBoot.sys BSOD - SmartDeploy Enterprise - DeployCentral | www.deploycentral.com" - [17]: https://archive.ph/2024.10.27-165908/https://groups.google.com/g/uk.comp.homebuilt/c/wC8YeAgPKAg "Help repairing an unbootable Windows 10 system - wdboot.sys missing | groups.google.com" - [18]: https://i.blackhat.com/USA-22/Thursday/US-22-Graeber-Living-Off-the-Walled-Garden.pdf "Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem | Matt Graeber | PowerPoint Presentation | i.blackhat.com" - [19]: https://archive.ph/2024.10.27-165922/https://learn.microsoft.com/en-us/defender-endpoint/elam-on-mdav "Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [1]: https://archive.ph/2024.10.27-165733/https://batcmd.com/windows/8/services/wdboot/ "Windows Defender Boot Driver - Windows 8 Service - batcmd.com | batcmd.com" + [2]: https://archive.ph/2024.10.27-165849/https://batcmd.com/windows/11/services/wdboot/ "Microsoft Defender Antivirus Boot Driver - Windows 11 Service - batcmd.com | batcmd.com" + [3]: https://archive.ph/2024.10.27-165804/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/drivers/WdBoot.sys.strings "10_0_22622_601/C/Windows/System32/drivers/WdBoot.sys.strings at c598035e1a6627384d646140fe9e4d234b36b11d Β· privacysexy-forks/10_0_22622_601 | github.com" + [4]: https://archive.ph/2024.10.27-165818/https://n4r1b.netlify.app/posts/2019/11/understanding-wdboot-windows-defender-elam/ "Understanding WdBoot (Windows Defender ELAM) :: Up is Down and Black is White β€” n4r1b | n4r1b.netlify.app" + [5]: https://archive.ph/2024.10.27-170051/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices "Control the health of Windows devices | Microsoft Learn | learn.microsoft.com" + [6]: https://archive.ph/2024.10.27-165826/https://systemexplorer.net/file-database/file/wdboot-sys/15452761 "What is wdboot.sys from Microsoft Corporation? (id:15452761) | systemexplorer.net" + [7]: https://archive.ph/2024.10.27-165922/https://learn.microsoft.com/en-us/defender-endpoint/elam-on-mdav "Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240717094647/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [9]: https://archive.ph/2024.10.27-165840/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating "Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [10]: https://archive.ph/2024.10.27-165901/https://learn.microsoft.com/en-us/archive/blogs/dubaisec/elam-driver "ELAM Driver | Microsoft Learn | learn.microsoft.com" + [11]: https://web.archive.org/web/20241202100509/https://i.blackhat.com/USA-22/Thursday/US-22-Graeber-Living-Off-the-Walled-Garden.pdf "Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem | Matt Graeber | PowerPoint Presentation | i.blackhat.com" + [12]: https://archive.ph/2024.10.27-165810/https://learn.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware "Overview of Early Launch AntiMalware - Windows drivers | Microsoft Learn | learn.microsoft.com" + [13]: https://archive.ph/2024.10.27-165901/https://www.winhelponline.com/blog/windows-defender-running-alongside-antivirus-program-limited-periodic-scanning/ "Why Is Windows Defender Running Alongside my Antivirus Program? Β» Winhelponline | www.winhelponline.com" + [14]: https://web.archive.org/web/20230731224608/https://hal.science/hal-03088315/document "ELAM: The Windows Defender ELAM Driver | hal.science" + [15]: https://archive.ph/2024.10.27-165906/https://www.deploycentral.com/topic/1131-wdbootsys-bsod/ "WDBoot.sys BSOD - SmartDeploy Enterprise - DeployCentral | www.deploycentral.com" + [16]: https://archive.ph/2024.10.27-165908/https://groups.google.com/g/uk.comp.homebuilt/c/wC8YeAgPKAg "Help repairing an unbootable Windows 10 system - wdboot.sys missing | groups.google.com" + [17]: https://archive.ph/2024.10.27-164219/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-drivers_31bf3856ad364e35_10.0.22621.1_none_5262daf3e8f76071.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba Β· privacysexy-forks/nickel-x64 | github.com" + [18]: https://archive.ph/2024.10.27-165848/https://learn.microsoft.com/en-us/azure/attestation/tpm-attestation-sample-policies "Examples of an Azure TPM Attestation policy | Microsoft Learn | learn.microsoft.com" call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: πŸ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 @@ -16106,7 +16106,7 @@ actions: [1]: https://archive.ph/2024.10.27-171829/https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/System32/drivers/mssecflt.sys.strings "10_0_22000_1165/C/Windows/System32/drivers/mssecflt.sys.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d Β· privacysexy-forks/10_0_22000_1165 | github.com" [2]: https://web.archive.org/web/20241007124239/https://crash.software/STRLCPY/Conferences/~raw/main/Offensivecon%202023%20slides/Yarden%20Shafir_Your%20Mitigations%20are%20My%20Opportunities.pdf [3]: https://web.archive.org/web/20241007150442/https://learn.microsoft.com/en-us/windows/dev-drive/ "Set up a Dev Drive on Windows 11 | Microsoft Learn | learn.microsoft.com" - [4]: https://answers.microsoft.com/en-us/windows/forum/all/new-build-windows-11-computer-not-going-to-sleep/f88b8d66-f115-4172-aa7c-4861f52ba29a "New Build windows 11 computer not going to sleep - Microsoft Community | answers.microsoft.com" + [4]: https://web.archive.org/web/20241202094559/https://answers.microsoft.com/en-us/windows/forum/all/new-build-windows-11-computer-not-going-to-sleep/f88b8d66-f115-4172-aa7c-4861f52ba29a "New Build windows 11 computer not going to sleep - Microsoft Community | answers.microsoft.com" [5]: https://archive.ph/2024.10.27-171848/https://batcmd.com/windows/10/services/mssecflt/ "Microsoft Security Events Component Minifilter - Windows 10 Service - batcmd.com | batcmd.com" [6]: https://archive.ph/2024.10.27-171853/https://revertservice.com/10/mssecflt/ "Microsoft Security Events Component Minifilter (MsSecFlt) Service Defaults in Windows 10 | revertservice.com" [7]: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html "Inside Windows Defender System Guard Runtime Monitor | $~ lloydlabs | blog.syscall.party" @@ -16117,9 +16117,9 @@ actions: [12]: https://archive.ph/2024.10.27-171937/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/mssecuser.dll.strings "10_0_22622_601/C/Windows/System32/mssecuser.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d Β· privacysexy-forks/10_0_22622_601 | github.com" [13]: https://archive.ph/2024.10.27-172051/https://github.com/privacysexy-forks/ExecutiveCallbackObjects/blob/master/542875F90F9B47F497B64BA219CACF69/README.md "ExecutiveCallbackObjects/542875F90F9B47F497B64BA219CACF69/README.md at master Β· privacysexy-forks/ExecutiveCallbackObjects | github.com" [14]: https://web.archive.org/web/20240922215705/https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf "Updated Analysis of PatchGuard on Microsoft Windows 10 RS4 | A use case of REVEN, the Timeless Analysis Tool | Author : Luc Reginato | Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf | blog.tetrane.com" - [15]: https://www.x33fcon.com/slides/x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf "Busting Red Team Trends With Style | Lessons Learned From Building an ETW Based Sysmon Replacement From Scratch | Philipp Schmied, Sebas0an Feldmann | x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf | www.x33fcon.com" + [15]: https://web.archive.org/web/20241202094736/https://www.x33fcon.com/slides/x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf "Busting Red Team Trends With Style | Lessons Learned From Building an ETW Based Sysmon Replacement From Scratch | Philipp Schmied, Sebas0an Feldmann | x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf | www.x33fcon.com" [16]: https://archive.ph/2024.10.09-113246/https://support.citrix.com/s/article/CTX691481-specific-defender-files-are-missing-from-the-published-image?language=en_US "Specific Defender files are missing from the published image | support.citrix.com" - [17]: https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-disable-microsoft-defender-antivirus/14725d12-3611-48ba-a82e-b51a47726034 "How do I disable Microsoft Defender Antivirus - Microsoft Community | answers.microsoft.com" + [17]: https://web.archive.org/web/20241202094221/https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-disable-microsoft-defender-antivirus/14725d12-3611-48ba-a82e-b51a47726034 "How do I disable Microsoft Defender Antivirus - Microsoft Community | answers.microsoft.com" [18]: https://archive.ph/2024.10.27-172013/https://github.com/privacysexy-forks/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml "Azure-Sentinel/Hunting Queries/Microsoft 365 Defender/Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].yaml at master Β· privacysexy-forks/Azure-Sentinel | github.com" [19]: https://archive.ph/2024.10.27-163942/https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs "When the hunter becomes the hunted: Using custom callbacks to disable EDRs | www.alteredsecurity.com" [20]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" @@ -17125,7 +17125,7 @@ actions: docs: - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 + - https://web.archive.org/web/20241202094117/https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version-2004/1543631 call: function: SetRegistryValue parameters: @@ -17809,7 +17809,7 @@ actions: Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully - Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. + Submitted Heartbeat Report" can be checked in the MRT log, found at `%SYSTEMROOT%\debug\mrt.log` [1]. By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. @@ -20863,7 +20863,7 @@ actions: established security rules [1] [5] to prevent unauthorized access [3] [4]. This service runs the firewall component of Windows [4]. - It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. + It starts automatically [3] and runs the `%SYSTEMROOT%\System32\MPSSVC.dll` driver [3]. This file is also referred to as **Microsoft Protection Service** [6]. Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services @@ -20920,7 +20920,7 @@ actions: - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\mpssvc.dll' + fileGlob: '%SYSTEMROOT%\System32\mpssvc.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 - function: ShowComputerRestartSuggestion @@ -22300,8 +22300,8 @@ actions: | File path | Windows 11 (23H2) | Windows 10 (22H2) | |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\ieapfltr.dll` [5] | ❌ Missing | ❌ Missing | - | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | βœ… Yes | βœ… Exists | + | `%SYSTEMROOT%\System32\ieapfltr.dll` [5] | ❌ Missing | ❌ Missing | + | `%SYSTEMROOT%\SysWOW64\ieapfltr.dll` [1] | βœ… Yes | βœ… Exists | This component is associated with following CLSIDs: @@ -22317,12 +22317,12 @@ actions: - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\ieapfltr.dll' - grantPermissions: 'true' # πŸ”’οΈ Likely protected as other files in `%WINDIR%\System32`, not tested due to lack of this file on modern Windows + fileGlob: '%SYSTEMROOT%\System32\ieapfltr.dll' + grantPermissions: 'true' # πŸ”’οΈ Likely protected as other files in `%SYSTEMROOT%\System32`, not tested due to lack of this file on modern Windows - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' + fileGlob: '%SYSTEMROOT%\SysWOW64\ieapfltr.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 Pro (β‰₯ 22H2) | πŸ”’οΈ Protected on Windows 11 Pro (β‰₯ 23H2) - function: SoftDeleteRegistryKey @@ -22395,7 +22395,7 @@ actions: ### Technical Details - The executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + The executable is located at `%SYSTEMROOT%\System32\smartscreen.exe` [1] [2] [4] [5]. This script will: @@ -22419,7 +22419,7 @@ actions: - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\smartscreen.exe' + fileGlob: '%SYSTEMROOT%\System32\smartscreen.exe' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - name: Disable SmartScreen libraries @@ -22453,10 +22453,10 @@ actions: | File path | Windows 11 (23H2) | Windows 10 (22H2) | |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\smartscreen.dll` [2] | βœ… Exists | ❌ Missing | - | `%WINDIR%\SysWOW64\smartscreen.dll` [3] | βœ… Exists | ❌ Missing | - | `%WINDIR%\System32\smartscreenps.dll` [4] [5] | βœ… Exists | βœ… Exists | - | `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | βœ… Exists | βœ… Exists | + | `%SYSTEMROOT%\System32\smartscreen.dll` [2] | βœ… Exists | ❌ Missing | + | `%SYSTEMROOT%\SysWOW64\smartscreen.dll` [3] | βœ… Exists | ❌ Missing | + | `%SYSTEMROOT%\System32\smartscreenps.dll` [4] [5] | βœ… Exists | βœ… Exists | + | `%SYSTEMROOT%\SysWOW64\smartscreenps.dll` [6] [7] | βœ… Exists | βœ… Exists | [1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc Β· privacysexy-forks/10_0_22621_870 Β· GitHub | github.com" [2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 Β· privacysexy-forks/10_0_22621_1028 Β· GitHub | github.com" @@ -22469,22 +22469,22 @@ actions: - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\smartscreen.dll' + fileGlob: '%SYSTEMROOT%\System32\smartscreen.dll' grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\smartscreenps.dll' + fileGlob: '%SYSTEMROOT%\System32\smartscreenps.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll' + fileGlob: '%SYSTEMROOT%\SysWOW64\smartscreen.dll' grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' + fileGlob: '%SYSTEMROOT%\SysWOW64\smartscreenps.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 23H2 - name: Disable SmartScreen integrations @@ -23488,8 +23488,8 @@ actions: It is located at the following paths: - - `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4] - - `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2] + - `%SYSTEMROOT%\System32\SmartScreenSettings.exe` [1] [4] + - `%SYSTEMROOT%\SysWOW64\SmartScreenSettings.exe` [2] > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. @@ -23501,12 +23501,12 @@ actions: - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe' + fileGlob: '%SYSTEMROOT%\System32\SmartScreenSettings.exe' grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' + fileGlob: '%SYSTEMROOT%\SysWOW64\SmartScreenSettings.exe' grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 - category: Disable Windows Security interface @@ -26417,7 +26417,7 @@ actions: The script removes the following components: - - Windows Defender Firewall Control Panel [2] (File Path: `%WINDIR\System32\FirewallControlPanel.dll` [2] [3] [4] [5] [6]) + - Windows Defender Firewall Control Panel [2] (File Path: `%SYSTEMROOT\System32\FirewallControlPanel.dll` [2] [3] [4] [5] [6]) - Virtual Factory for Windows Defender Firewall CPL class [3] (CLSID: `A4B07E49-6567-4FB8-8D39-01920E3B2357` [3]) - Virtual Factory for Windows Defender Firewall CPL app [3] (AppID: `A4B07E49-6567-4FB8-8D39-01920E3B2357` [3]) - `FirewallControlPanel.dll` COM class (CLSID: `1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1` [4]) @@ -26437,7 +26437,7 @@ actions: function: SoftDeleteFiles parameters: # Availability: βœ… Windows 10 Pro (β‰₯ 22H2) | βœ… Windows 11 Pro (β‰₯ 23H2) - fileGlob: '%WINDIR%\System32\FirewallControlPanel.dll' + fileGlob: '%SYSTEMROOT%\System32\FirewallControlPanel.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 - function: SoftDeleteRegistryKey @@ -26542,8 +26542,8 @@ actions: This script removes: - **Windows Defender Firewall with Advanced Security Group Policy Editor Extension** [3] [4] - - File path: `%WINDIR%\System32\AuthFWGP.dll` [3] [5] - - File path: `%WINDIR%\SysWOW64\AuthFWGP.dll` [4] + - File path: `%SYSTEMROOT%\System32\AuthFWGP.dll` [3] [5] + - File path: `%SYSTEMROOT%\SysWOW64\AuthFWGP.dll` [4] - **Windows Defender Firewall with Advanced Security** [5] [6] COM class - CLSID: `023A36FC-E9D5-419E-824A-CDC66A116E84` [5] - CLSID: `0E752416-F29E-4195-A9DD-7F0D4D5A9D71` [6] @@ -26559,13 +26559,13 @@ actions: function: SoftDeleteFiles parameters: # Availability: βœ… Windows 10 Pro (β‰₯ 22H2) | βœ… Windows 11 Pro (β‰₯ 23H2) - fileGlob: '%WINDIR%\System32\AuthFWGP.dll' + fileGlob: '%SYSTEMROOT%\System32\AuthFWGP.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 - function: SoftDeleteFiles parameters: # Availability: βœ… Windows 10 Pro (β‰₯ 22H2) | βœ… Windows 11 Pro (β‰₯ 23H2) - fileGlob: '%WINDIR%\SysWOW64\AuthFWGP.dll' + fileGlob: '%SYSTEMROOT%\SysWOW64\AuthFWGP.dll' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 - function: SoftDeleteRegistryKey @@ -27842,7 +27842,7 @@ actions: > Consider the balance between maintaining privacy and ensuring system security and stability. children: # Tips: - # - Related services can be seen in `%WINDIR%\WaaS\services` folder. + # - Related services can be seen in `%SYSTEMROOT%\WaaS\services` folder. # Excluding: # - Background Intelligent Transfer Service (BITS): Not exclusive to disabling automatic Windows updates, may break third-party apps # - Delivery Optimization (DoSvc): Not exclusive to disabling automatic Windows updates, breaks Microsoft Store downloads. @@ -27949,7 +27949,7 @@ actions: By default, the service is enabled with a manual startup type [5] [6]. It runs `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [6], also known as the "WaaSMedic Service DLL" [7]. - It stores remediation settings like registry keys, tasks, and services in the `%WINDIR%\WaaS\` folder [8] [9] [10]. + It stores remediation settings like registry keys, tasks, and services in the `%SYSTEMROOT%\WaaS\` folder [8] [9] [10]. This script disables the service, terminates and blocks its executable, and removes its files and Component Object Model (COM) objects. @@ -27995,7 +27995,8 @@ actions: [1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322β€”Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support" [2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" - [3]: https://archive.ph/2024.09.14-152730/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba Β· privacysexy-forks/nickel-x64 | github.com" [4]: https://web.archive.org/web/20240828090735/https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates Β· Issue #252 Β· undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [3]: https://archive.ph/2024.09.14-152730/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba Β· privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240828090735/https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates Β· Issue #252 Β· undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" [5]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [6]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com" [7]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io" @@ -34932,7 +34933,7 @@ actions: It is found on both Windows 10 (since 21H2, missing in 20H2) and Windows 11 (since 23H2). The startup command is `"\Microsoft\OneDrive\OneDrive.exe" /background` [1]. - [1]: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/start-onedrive-when-using-a-remoteapp-in-wvd/m-p/899331 "Re: Start OneDrive when using a RemoteApp in WVD - Page 2 - Microsoft Tech Community | techcommunity.microsoft.com" + [1]: https://web.archive.org/web/20241202095156/https://learn.microsoft.com/en-us/azure/virtual-desktop/onedrive-remoteapp "Launch Microsoft OneDrive with a RemoteApp - Azure Virtual Desktop | Microsoft Learn | learn.microsoft.com" call: function: DeleteRegistryValue parameters: @@ -35166,8 +35167,8 @@ actions: | ---- |:----------:|:----------:| | `%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | βœ… Exists | βœ… Exists | | `%USERPROFILE%\Links\OneDrive.lnk` | ❌ Missing | ❌ Missing | - | `%WINDIR%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | βœ… Exists | - | `%WINDIR%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | βœ… Exists | + | `%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | βœ… Exists | + | `%SYSTEMROOT%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | βœ… Exists | In Windows 10 and higher, additional steps are necessary to delete the OneDrive icon from the navigation pane in Windows Explorer [2], which is executed by this script. @@ -35182,8 +35183,8 @@ actions: shortcutItems: |- @{ Revert = $True; Path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:USERPROFILE\Links\OneDrive.lnk"; } - @{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } - @{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } + @{ Revert = $False; Path = "$env:SYSTEMROOT\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } + @{ Revert = $False; Path = "$env:SYSTEMROOT\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } - function: RunPowerShell parameters: @@ -37891,10 +37892,10 @@ actions: - name: Disable reserved storage for updates # since 19H1 (1903) docs: - - https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement - - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves - - https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy + - https://web.archive.org/web/20241001145548/https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement + - https://web.archive.org/web/20241001145540/https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState + - https://web.archive.org/web/20241001141449/https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves + - https://web.archive.org/web/20241001145532/https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy call: - function: RunInlineCode @@ -37999,7 +38000,7 @@ functions: keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }} valueName: Debugger dataType: REG_SZ - data: '%WINDIR%\System32\taskkill.exe' + data: '%SYSTEMROOT%\System32\taskkill.exe' deleteOnRevert: 'true' # No executable has debugging enabled by default - name: DisableWindowsFeature @@ -38123,8 +38124,8 @@ functions: # - Based on tests, Windows attempts to locate the file in the installation location of the package. # This location can be identified using commands such as `(Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation`. # Possible installation locations include: - # - `%WINDIR%\SystemApps\{PackageFamilyName}` (for system apps) - # - `%WINDIR%\{ShortAppName}` (for system apps) + # - `%SYSTEMROOT%\SystemApps\{PackageFamilyName}` (for system apps) + # - `%SYSTEMROOT%\{ShortAppName}` (for system apps) # - `%SYSTEMDRIVE%\Program Files\WindowsApps\{PackageName}` (for non-system apps) # View all package locations: `Get-AppxPackage | Sort Name | Format-Table Name, InstallLocation` revertCode: |- @@ -38290,26 +38291,26 @@ functions: - # ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (SystemApps, Directory I) - # - Folder : %WINDIR%\SystemApps\{PackageFamilyName} + # - Folder : %SYSTEMROOT%\SystemApps\{PackageFamilyName} # - Example : C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy # - Check : (Get-AppxPackage -AllUsers 'Windows.CBSPreview').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\SystemApps\{{ $packageName }}_{{ $publisherId }}\*' + fileGlob: '%SYSTEMROOT%\SystemApps\{{ $packageName }}_{{ $publisherId }}\*' grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 recurse: 'true' - # ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (SystemApps, Directory II) - # - Folder : %WINDIR%\{ShortAppName} + # - Folder : %SYSTEMROOT%\{ShortAppName} # - Example : C:\Windows\PrintDialog # - Check : (Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: >- - %WINDIR%\$(("{{ $packageName }}" -Split '\.')[-1])\* + %SYSTEMROOT%\$(("{{ $packageName }}" -Split '\.')[-1])\* grantPermissions: 'true' # πŸ”’οΈ Protected on Windows 10 since 22H2 | πŸ”’οΈ Protected on Windows 11 since 22H2 recurse: 'true' - @@ -39919,7 +39920,7 @@ functions: $taskFullPath = "$($task.TaskPath)$($task.TaskName)" $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) - $taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)" + $taskFilePath="$($env:SYSTEMROOT)\System32\Tasks$($task.TaskPath)$($task.TaskName)" $accessGranted = $false try { $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop @@ -39993,7 +39994,7 @@ functions: $taskFullPath = "$($task.TaskPath)$($task.TaskName)" $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) - $taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)" + $taskFilePath="$($env:SYSTEMROOT)\System32\Tasks$($task.TaskPath)$($task.TaskName)" $accessGranted = $false try { $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop @@ -40231,7 +40232,7 @@ functions: codeComment: 'Add hosts entries for {{ $domain }}' code: |- $domain ='{{ $domain }}' - $hostsFilePath = "$env:WINDIR\System32\drivers\etc\hosts" + $hostsFilePath = "$env:SYSTEMROOT\System32\drivers\etc\hosts" $comment = "managed by privacy.sexy" $hostsFileEncoding = [Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]::Utf8 $blockingHostsEntries = @( @@ -40300,7 +40301,7 @@ functions: # that perform frequent file updates. revertCode: |- $domain ='{{ $domain }}' - $hostsFilePath = "$env:WINDIR\System32\drivers\etc\hosts" + $hostsFilePath = "$env:SYSTEMROOT\System32\drivers\etc\hosts" $comment = "managed by privacy.sexy" $hostsFileEncoding = [System.Text.Encoding]::UTF8 $blockingHostsEntries = @(