From 4578a0df836211b2520057f7778c514897cea008 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Mon, 23 Sep 2024 18:14:29 +0200 Subject: [PATCH] win: add CLSID/COM object removal $412 This commit improves existing scripts (or adds new ones) to add COM object removal to scripts. This fixes slow application launches that occur when SmartScreen is removed by privacy.sexy, resolving $412. Key changes: - Introduce `SoftDeleteRegistryKey` to preserve complex registry trees and their permissions. - Add missing CLSIDs for Defender/Windows Update components. Other supporting changes: - Improve documentation for related categories and scripts. - Introduce categories as necessary to structure new scripts. - Add supporting actions along with COM object removal, such as deleting related files or configuring registry settings. - Add ability to constrain soft deletion of files based on Windows version. - Shorten dependent functions to avoid hitting the max character limit in `SoftDeleteRegistryKey`. --- src/application/collections/windows.yaml | 5213 +++++++++++++++++++--- 1 file changed, 4641 insertions(+), 572 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index a1092dc5..b08a7494 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -2281,7 +2281,7 @@ actions: valueName: DisableResetbase dataType: REG_DWORD data: '0' - dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (โ‰ฅ 21H1) | Missing on Windows 11 Pro 21H1 | `1` on Windows 11 Pro (โ‰ฅ 22H2) + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (โ‰ฅ 21H1) | ๐Ÿ” Missing on Windows 11 Pro 21H1 | `1` on Windows 11 Pro (โ‰ฅ 22H2) - name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. @@ -10679,7 +10679,7 @@ actions: valueName: AutofillAddressEnabled # Edge โ‰ฅ 77 dwordData: '0' - - name: Disable Edge experimentation and remote configurations + name: Disable Edge experimentation and remote configuration recommend: standard docs: |- # refactor-with-variables: โ€ข Chromium Policy Caution This script disables the Experimentation and Configuration Service in Microsoft Edge, effectively stopping @@ -14918,23 +14918,26 @@ actions: Privacy concerns include: - Sending personal data to Microsoft for analysis [1] [2] [9]. - This allows Microsoft to collect and potentially access your sensitive information. + This allows Microsoft to collect and potentially access your sensitive information. - Flagging attempts to block Microsoft's telemetry (data collection) as security threats [3] [10]. - This prevents users from controlling what data Microsoft collects about them. + This prevents users from controlling what data Microsoft collects about them. - Incorrectly identifying privacy-enhancing scripts from privacy.sexy as malicious software [4]. - This discourages users from using tools designed to protect their privacy. + This discourages users from using tools designed to protect their privacy. + - Defender itself may introduce vulnerabilities [11] [12]. + This can potentially allow attackers to exploit Defender's own features or implementation flaws. + Despite being a security product, it increases your system's attack surface. Turning off Defender also improves your computer's speed by freeing up system resources [5]. However, disabling these features may result in: - - Potential program malfunctions [11], as these security features are integral to Windows [6]. + - Potential program malfunctions [13], as these security features are integral to Windows [6]. - Lowered defenses against malware and other online threats. - These scripts are primarily designed to disable Defender features that come built into Windows. - They may also affect additional Defender products not included in the default Windows installation. - However, some Defender services available with Microsoft 365 subscriptions may remain unaffected - by these scripts [7] [8]. + These scripts mainly target the built-in Defender features. + Most Defender services that come with Microsoft 365 subscriptions remain largely unaffected [7] [8]. + However, the scripts may impact additional Defender products not included in the standard Windows + installation, such as Defender for Endpoint. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. @@ -14950,7 +14953,9 @@ actions: [8]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" [9]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement โ€“ Microsoft privacy | privacy.microsoft.com" [10]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" - [11]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [11]: https://web.archive.org/web/20240830100517/https://skanthak.hier-im-netz.de/offender.html "Vulnerabilities Introduced by Windows Defender | skanthak.hier-im-netz.de" + [12]: https://web.archive.org/web/20240830101341/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/Microsoft-Windows-Defender.html "Microsoft Windows Defender : Security vulnerabilities, CVEs | www.cvedetails.com" + [13]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" children: - category: Disable Defender data collection @@ -15850,7 +15855,7 @@ actions: valueName: "TamperProtectionSource" dataType: REG_DWORD data: "2" - dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0` on Windows 11 Pro (โ‰ฅ 23H2) + dataOnRevert: "5" # Default value: ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0` on Windows 11 Pro (โ‰ฅ 23H2) elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โœ… Windows 10 Pro (>= 20H2) | โŒ Windows 11 Pro (>= 23H2) - name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 @@ -16954,6 +16959,479 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable Antimalware Scan Interface (AMSI) + docs: |- + This category contains scripts that disable various components of + the Antimalware Scan Interface (AMSI) in Windows. + + AMSI is a standard interface that allows applications and services to + integrate with antimalware products on Windows systems [1] [2] [3] [4] [5]. + It functions as an interception engine, enabling software to work with Defender + and other antivirus solutions to detect potentially malicious scripts and content [1] [2] [3] [5]. + + Key features of AMSI include: + + - Scanning scripts and macros for malicious content before execution [1] [2] [3] [5] + - Providing an additional layer of security against script-based attacks [1] [2] [3] [5] + - Allowing different antivirus vendors to conduct scanning operations [1] [3] [4] [5] + + Disabling AMSI components may enhance privacy by: + + - Reducing the amount of data collected and analyzed by antimalware services + [1] [3] [5] + - Limiting the sharing of potentially sensitive information with security + providers [1] [2] [3] [4] [5] + + It may also improve system performance by: + + - Reducing script scanning overhead [5] + - Decreasing background scanning activities + + However, disabling AMSI carries significant security risks: + + - Reduced protection against malicious scripts, including PowerShell commands and + Microsoft Office macros [1] [2] [3] [5] + - Weakened ability to detect and prevent malware, especially obfuscated threats [2] [3] [5] + - Increased vulnerability to script-based attacks and potentially harmful software gaining + control over the system + + > **Caution:** + > Disabling AMSI components may significantly reduce your system's security. + > It weakens defenses against malware and script-based threats, potentially exposing your system + > to various security risks. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" + [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" + [4]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" + [5]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + children: + - + name: Disable Defender AMSI provider + docs: |- + This script disables the Microsoft Defender Antimalware Scan Interface (AMSI) provider, + which is a component of Defender. + + The AMSI provider is part of the **Antimalware Scan Interface (AMSI)** [1] [2]. + AMSI adds security against malicious scripts in Windows [2]. + It allows different antivirus vendors to conduct scanning operations for script-based attacks [2]. + AMSI provides interface to integrate antimalware modules [1] [3]. + By default, Defender uses AMSI to block potentially harmful PowerShell scripts, JavaScript, and + VBA macros [2] + + The main file for the AMSI provider is `MpOav.dll` [1] [3] [4] [5]. + This file: + - Collects Defender's health data and logs [6] + - Decides about content from applications [3] + - May inject itself into other processes [6] + - Scans system memory [3] + + Disabling the AMSI provider may improve your privacy by reducing the amount of data + collected and analyzed by Defender. + It may also improve system performance by reducing script scanning overhead. + + > **Caution:** This script may reduce your security by disabling a protection mechanism against malicious scripts. + + ### Technical Details + + This script deletes: + + - COM objects: + - `MpOav.dll` COM class (CLSID: `{2781761E-28E0-4109-99FE-B9D127C57AFE}`) [3] [4] [7] [8] + - Outdated `MpOav.dll` COM class (CLSID: `2781761E-28E1-4109-99FE-B9D127C57AFE`) [5] + - AMSI provider registration at `HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [2] [3] [4] + - `MpOav.dll` File: + - Current location: `%PROGRAMFILES%\Windows Defender\MpOav.dll` [4]. + According to tests, this file exists on Windows 10 (โ‰ฅ 22H2) and Windows 11 (โ‰ฅ 23H2). + - Previous locations (no longer used in modern Windows versions and not targeted by this script): + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpOav.dll` [1] [3] [9] + - `%PROGRAMFILES%\Microsoft Security Client\MpOAv.dll` [5] + - Internet Explorer Related Entries: + - Current registration: `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [8] [10] + - Legacy associations: + - `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [5] + - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [5] + + [1]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" + [2]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" + [4]: https://web.archive.org/web/20240828115241/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E0-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E0-4109-99FE-B9D127C57AFE | Windows Defender IOfficeAntiVirus implementation | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240831103818/https://serverfault.com/questions/643718/acrobat-reader-xi-addon-gets-disabled-periodically-in-internet-explorer-within-w/666205#666205 "Acrobat Reader XI addon gets disabled periodically in Internet Explorer within Windows domain - Server Fault | serverfault.com" + [6]: https://web.archive.org/web/20240828115306/https://dexpacks.lakesidesoftware.com/articles/troubleshooting/Defender-s-MpOav-dll-Injects-Itself-into-SysTrack-Processes-1632490263859 "Defender's MpOav.dll Injects Itself into SysTrack Processes | Lakeside Software Customer Gateway | Lakeside Software, LLC | dexpacks.lakesidesoftware.com" + [7]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [8]: https://web.archive.org/web/20240830100517/https://skanthak.hier-im-netz.de/offender.html "Vulnerabilities Introduced by Windows Defender | skanthak.hier-im-netz.de" + [9]: https://web.archive.org/web/20240828115310/https://www.file.net/process/mpoav.dll.html "MpOav.dll Windows process - What is it? | www.file.net" + [10]: https://web.archive.org/web/20240830100359/https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/dn301826(v=vs.85) "IExtensionValidation interface (Windows) | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpOav.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE} + - + name: Disable Defender UAC AMSI provider + docs: |- + This script disables the Defender UAC (User Account Control) AMSI (Antimalware Scan Interface) provider. + + The UAC AMSI provider allows Defender to scan and analyze UAC elevation requests for potential security + threats [1]. + UAC manages the elevation of privileges for executables, COM objects, MSI packages, + and ActiveX installations [1]. + UAC elevation on Windows is a security feature that asks for permission before allowing + changes that could affect the system's operation. + + Disabling this provider may enhance privacy by reducing the amount of data scanned and analyzed + during UAC elevation requests. + It may also improve system performance by removing this security check. + However, disabling this component may reduce your system's ability to detect and prevent malware exploiting UAC elevation. + + > **Caution:** + > This script may reduce your computer's security by disabling a feature that helps prevent + > harmful software from gaining more control over your system. + + ### Technical Details + + This script targets the **Windows Defender IAmsiUacProvider** implementation [2], + This provider integrates with the `WinDefend` service [3] [4] [5]. + The `WinDefend` service runs `MpSvc.dll` [6], which utilizes this component as a UAC provider [4]. + + The script removes the application COM registration for CLSID and AppID + `2781761E-28E2-4109-99FE-B9D127C57AFE` [2] [3] [7] by deleting the following registry keys: + + - `HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7] + - `HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + - `HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7] + - `HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + + It also removes the UacProviders registration under: + `HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [4] [7]. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829090059/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E2-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E2-4109-99FE-B9D127C57AFE | Windows Defender IAmsiUacProvider implementation | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240829090053/https://github.com/privacysexy-forks/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/README.md "juicy-potato/CLSID/Windows_10_Enterprise/README.md at master ยท privacysexy-forks/juicy-potato | github.com" + [4]: https://web.archive.org/web/20240917095611/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L9020 "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [5]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240829090503/https://www.shouldiblockit.com/mpsvc.dll-cf318f60a84f15af352439465a8d05f4.aspx "MpSvc.dll - Should I Block It? (MD5 cf318f60a84f15af352439465a8d05f4) | www.shouldiblockit.com" + [7]: https://web.archive.org/web/20240829090236/https://www.bleepingcomputer.com/forums/t/655746/windows-10-has-been-infected-and-i-need-help-please/ "Windows 10 has been infected and i need help, please! - Am I infected? What do I do? | www.bleepingcomputer.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Antimalware Scan Interface (AMSI) for current user + docs: |- + This script disables the Antimalware Scan Interface (AMSI) for the current user, preventing + the integration of applications and services with antimalware products. + + AMSI is a standard interface that integrates applications and services with antimalware products + on Windows machines [1]. + It helps detect potentially malicious scripts, such as harmful PowerShell commands or Microsoft + Office macros, even if they are obfuscated [2]. + + When AMSI is enabled, antivirus programs can scan scripts before they run [2]. + If a known malicious pattern is detected, the script may be blocked [2]. + + Disabling AMSI may enhance privacy by limiting data shared with antimalware services. + It may also boost system performance by reducing background scanning activities. + + However, disabling AMSI poses significant security risks: + + 1. Reduced protection from script-based attacks + 2. Weakened detection of malicious macros + 3. Increased vulnerability to obfuscated malware + + > **Caution:** + > Disabling AMSI weakens your defense against malware and script-based threats. + + ### Technical Details + + This script modifies the Windows Registry by setting the `AmsiEnable` value to `0` + under the `HKCU\Software\Microsoft\Windows Script\Settings` key [2] [3] [4]. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" + [3]: https://web.archive.org/web/20240828134331/https://redcanary.com/threat-detection-report/techniques/modify-registry// "Modify Registry - Red Canary Threat Detection Report | redcanary.com" + [4]: https://web.archive.org/web/20240828134538/https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ "Macros and More with SharpShooter v2.0 - MDSec | www.mdsec.co.uk" + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows Script\Settings + valueName: AmsiEnable + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable Defender remote management + docs: |- + This category contains scripts to disable remote management capabilities of Defender + + Remote management allows administrators or management systems to control Defender settings and receive information remotely. + This includes applying configurations, running scans, and collecting device security data. + + Disabling remote management enhances your privacy by: + + - Preventing remote access to your Defender settings and data. + - Reducing the amount of information shared with management systems. + - Giving you more control over your local security settings. + + It also increases your security by: + + - Reducing potential attack surface for remote exploits. + - Preventing unauthorized changes to your Defender settings. + + It can also boost system performance by removing associated components. + + However, disabling remote management can interfere with organizational settings and potentially reduce security by: + + - Preventing automatic application of security policies. + - Limiting the ability of IT administrators to manage and monitor security across devices. + - Potentially missing important security updates or configurations. + + > **Caution**: + > Disabling Defender remote management may violate organizational policies and impair the IT department's + > ability to protect and manage your device. + children: + - + name: Disable Defender remote configuration + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables Windows Defender's ability to receive remote configurations. + + Windows Defender Management uses this feature to remotely control Defender's behavior [1]. + It uses a Configuration Service Provider (CSP) as an interface between the device's settings and + specified configurations [2]. + CSPs, like Group Policy client-side extensions, enable reading, setting, modifying, or deleting + settings for specific features [2]. + Mobile device management (MDM) service providers commonly use these CSPs [2]. + + Disabling this feature enhances privacy and user control by blocking remote modifications to your + Defender settings. + This action may also improve system performance by reducing background processes related to + checking and applying remote configurations. + + However, this action may reduce security by: + + - Preventing potentially important security updates from being applied automatically. + - Limiting the ability of IT administrators to manage Defender settings across devices. + + > **Caution:** + > Disabling this feature may make your computer less secure and reduce the ability of management + > systems to adjust security settings automatically. + + ### Technical Details + + The script targets the COM registration for the CLSID `195B4D07-3DE2-4744-BBF2-D90121AE785B` [1] [3]. + This application registers the `DefenderCSP.dll` library [1] [3]. + This component is used by the Defender service (`MpSvc`) [4]. + The DLL file is located in the `%PROGRAMFILES%\Windows Defender` folder [1] [3]. + + This script performs a soft deletion of: + + - The COM registration for the CLSID (`195B4D07-3DE2-4744-BBF2-D90121AE785B`) [1] [3]. + - The `DefenderCSP.dll` file. + + For more information on related configurations and the full range of settings affected, see the official + Microsoft documentation on the Defender CSP [5]. + + [1]: https://web.archive.org/web/20240917101148/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest#L14-L29 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท colorsci/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240829084136/https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers "Configuration service providers for IT pros | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829084308/https://strontic.github.io/xcyclopedia/library/clsid_195B4D07-3DE2-4744-BBF2-D90121AE785B.html "CLSID 195B4D07-3DE2-4744-BBF2-D90121AE785B | Defender CSP | STRONTIC | strontic.github.io" + [4]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings#L6494 "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d ยท privacysexy-forks/10_0_22000_1165 | github.com" + [5]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\DefenderCSP.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender remote commands + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables Defender's remote management capabilities. + + The script specifically targets a component known as the **Microsoft Security Client Antimalware Provider** [1]. + + This component allows PowerShell to manage Defender remotely, often through + **System Center Endpoint Protection (SCEP)** [2] [3] [4]. + + Disabling this component enhances your privacy by preventing remote access to your Defender settings and data. + It may also enhance system performance by reducing background processes associated with remote management. + However, it may decrease security in managed environments by limiting remote management of your system's security settings. + + > **Caution:** This action may reduce security on work or school computers and other managed devices. + + ### Technical Details + + The script disables these components: + + - The `MpProvider.dll` file located at `%PROGRAMFILES%\Windows Defender\MpProvider.dll` [5]. + - **InfectionState WMI Provider** COM object with CLSID `361290c0-cb1b-49ae-9f3e-ba1cbe5dab35` [5] [6]. + - **Status WMI Provider** COM object with CLSID `8a696d12-576b-422e-9712-01b9dd84b446` [5] [7]. + - **AMMonitoring WMI Provider** COM object with CLSID `DACA056E-216A-4FD1-84A6-C306A017ECEC` [5] [8]. + + These components are part of the Windows Defender Management package [5]. + + [1]: https://web.archive.org/web/20240829150549/https://systemexplorer.net/file-database/file/mpprovider-dll "What is mpprovider.dll ? | System Explorer | systemexplorer.net" + [2]: https://web.archive.org/web/20240829150629/https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical "Assessment checks for endpoint detection and response - Microsoft Defender for Cloud | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829150639/https://www.verboon.info/2014/04/managing-windows-defender-system-center-endpoint-security-with-powershell/ "Managing Windows Defender / System Center Endpoint Security with PowerShell โ€“ Anything about IT | www.verboon.info" + [4]: https://web.archive.org/web/20240829150603/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-client-faq "Endpoint Protection client frequently asked questions - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240829150445/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest#L96-L104 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240829150513/https://strontic.github.io/xcyclopedia/library/clsid_361290c0-cb1b-49ae-9f3e-ba1cbe5dab35.html "CLSID 361290c0-cb1b-49ae-9f3e-ba1cbe5dab35 | InfectionState WMI Provider | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240829180050/https://strontic.github.io/xcyclopedia/library/clsid_8a696d12-576b-422e-9712-01b9dd84b446.html "CLSID 8a696d12-576b-422e-9712-01b9dd84b446 | Status WMI Provider | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240829180219/https://strontic.github.io/xcyclopedia/library/clsid_DACA056E-216A-4FD1-84A6-C306A017ECEC.html "CLSID DACA056E-216A-4FD1-84A6-C306A017ECEC | AMMonitoring WMI Provider | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpProvider.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender WMI management + recommend: null # Impacts local management + docs: |- + This script disables Defender's ability to be managed through Windows Management Instrumentation (WMI). + + WMI enables the management and automation of tasks on Windows computers [1]. + WMI is primarily used for remote management and monitoring but it can also operate locally [1]. + + Disabling Defender's WMI management enhances privacy by preventing unauthorized remote modifications + to Defender settings. + It may also improve system performance by reducing background processes related to WMI management. + + However, this change comes with trade-offs: + + - It may disrupt local management scripts on your computer [1]. + - It can impact computers managed by enterprise software such as **System Center Operations Manager** + or **Windows Remote Management** [1]. + - It may reduce security by limiting the ability to manage Defender remotely in enterprise environments. + + > **Caution:** + > This script may interfere with system management tools and potentially reduce security in enterprise environments. + + ### Technical Details + + This script removes specific components of the `Windows-Defender-Management-Onecore` package [2]: + + - File `%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll` [2] [3] + - COM class **Windows Defender WMI Provider** (CLSID: `A7C452EF-8E9F-42EB-9F2B-245613CA0DC9`) [2] [3] + + [1]: https://web.archive.org/web/20240830103531/https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page "Windows Management Instrumentation - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830103651/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240830103709/https://strontic.github.io/xcyclopedia/library/clsid_A7C452EF-8E9F-42EB-9F2B-245613CA0DC9.html "CLSID A7C452EF-8E9F-42EB-9F2B-245613CA0DC9 | Windows Defender WMI Provider | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable Defender updates children: @@ -17153,7 +17631,6 @@ actions: property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - - name: Minimize Defender engine updates to completed release cycles docs: @@ -17256,19 +17733,6 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - name: Disable auditing events in Defender Application Guard - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI - valueName: AuditApplicationGuard - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - category: Disable Defender scheduled tasks children: @@ -17453,7 +17917,7 @@ actions: | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | call: # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: ๐Ÿ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17482,7 +17946,7 @@ actions: | Windows 11 (โ‰ฅ 23H2) | ๐ŸŸข Running | Boot | call: # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: ๐Ÿ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17510,7 +17974,7 @@ actions: | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Boot | call: # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: ๐Ÿ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17619,6 +18083,70 @@ actions: elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - function: ShowComputerRestartSuggestion + - + name: Disable Defender Antivirus shared service components + docs: |- + This script disables Microsoft Defender Antivirus shared service components. + + This script may enhance privacy by reducing the system's monitoring and data collection capabilities. + It may also improve system performance by reducing background processes and resource usage. + + However, disabling these components may significantly reduce system security. + Without these components, the system becomes more vulnerable to malware, viruses, and other cyber threats. + + > **Caution:** This action disables your antivirus protection, exposing your computer to viruses and other cyber threats. + + ### Technical Details + + The script disables the following components: + + - Microsoft Windows Defender COM application with CLSID `A2D75874-6750-4931-94C1-C99D3BC9D0C7` [1] [2] + and AppID `A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F` [1] [2]. + It is component of Defender Antivirus (`WinDefend`) [2] [3]. + Its file is at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [1] [2]. + It also uses `MsMpCom.dll` for in-process COM servers [1] [2]. + - Microsoft Windows Defender COM Utility Type Library (`8C389764-F036-48F2-9AE2-88C260DCF43B`) [2] + - DLL `MpAsDesc.dll` located at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [1] + Defender services like `WdNisDrv`, `WdBoot`, `WinDefend`, `WdNisSvc` all depends on this file [4]. + - DLL `MsMpCom.dll` located at `%PROGRAMFILES%\Windows Defender\MsMpCom.dll` [1] [2] + + [1]: https://web.archive.org/web/20240829212450/https://strontic.github.io/xcyclopedia/library/clsid_A2D75874-6750-4931-94C1-C99D3BC9D0C7.html "CLSID A2D75874-6750-4931-94C1-C99D3BC9D0C7 | Microsoft Windows Defender | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240829212436/https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints#known-issues-and-limitations-in-the-new-unified-solution-package-for-windows-server-2016-and-windows-server-2012-r2 "Onboard Windows servers to the Microsoft Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240829212123/https://github.com/privacysexy-forks/SchoolNotes/blob/af823cecc159021e1a54fb5ca15d54ce35734ee9/ifs4102/Assignments/Assignment-2/a2system.txt "SchoolNotes/ifs4102/Assignments/Assignment-2/a2system.txt at af823cecc159021e1a54fb5ca15d54ce35734ee9 ยท privacysexy-forks/SchoolNotes | github.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles # โŒ TrustedInstaller is not enough; requires safe mode or disabled protection + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpAsDesc.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpCom.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable Defender Firewall docs: |- @@ -18031,6 +18559,59 @@ actions: parameters: fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + name: Disable Defender for Endpoint remote configuration + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables remote configuration for Microsoft Defender for Endpoint, enhancing privacy + and local control over your device's security settings. + + Microsoft Defender for Endpoint is a security suite designed to protect devices from cyber threats [1]. + Some components are included by default on Windows without requiring user opt-in [2] [3]. + Remote configuration allows administrators to manage and update settings across multiple devices. + This feature is typically used in work or school environments where centralized control of multiple devices + is necessary. + + Disabling this feature enhances privacy by preventing remote changes to your Defender for Endpoint settings. + It may also improve system performance by reducing background processes related to remote management. + + However, disabling this feature may: + + - Prevent automatic security updates from being applied. + - Limit the ability of IT administrators to manage security settings across devices. + - Violate your organization's compliance policies if you're on a work or school computer. + + > **Caution:** + > Disabling this feature may reduce your device's security and limit automatic security adjustments. + + ### Technical Details + + This script disables the following components: + + - Windows Defender Advanced Threat Protection CSP [2] + (CLSID: `FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4` [2]) + - Windows Defender Advanced Threat Protection Manageability module [3] + (Path: `%PROGRAMFILES%\Windows Defender Advanced Threat Protection\WATPCSP.dll` [2] [3]) + + For detailed configurations and settings, refer to Microsoft's documentation on WindowsAdvancedThreatProtection CSP [4]. + + [1]: https://web.archive.org/web/20240821073223/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint "Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831150003/https://strontic.github.io/xcyclopedia/library/clsid_FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4.html "CLSID FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4 | Windows Defender Advanced Threat Protection CSP | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240831150016/https://strontic.github.io/xcyclopedia/library/WATPCSP.dll-44CC07FE949C00E92571169E2413F4CC.html "WATPCSP.dll | Windows Defender Advanced Threat Protection Manageability module | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240831150703/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsadvancedthreatprotection-csp "WindowsAdvancedThreatProtection CSP | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\WATPCSP.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable SmartScreen docs: |- # refactor-with-variables: โ€ข SmartScreen Caution @@ -18821,27 +19402,28 @@ actions: - name: Disable outdated Internet Explorer SmartScreen Filter component docs: |- # refactor-with-variables: โ€ข SmartScreen Caution - This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + This script disables the outdated Internet Explorer SmartScreen filter (`ieapfltr.dll`). - The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. - It is mainly used by Internet Explorer [2]. + The `ieapfltr.dll` file is also known as **Microsoft SmartScreen Filter** [1] + or **Anti-phishing browser solution** [2]. + It is mainly used by Internet Explorer [3]. - Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], + Despite the official end of support for Internet Explorer 11 on June 15, 2022 [4], some systems may still have this component. Benefits: - **Privacy improvement**: - By disabling the SmartScreen functionality that monitors user behavior, + By disabling the SmartScreen functionality that monitors user behavior, this script enhances your privacy. - **Security enhancement**: It reduces the attack surface by removing unused components, aligning with security best practices. - **System performance**: It may improve system performance by removing unnecessary components. - + Trade-offs: - + - **Reduced security**: The absence of SmartScreen may decrease protection against malware and phishing. - **Browser Functionality**: @@ -18853,30 +19435,62 @@ actions: Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend on it, even if Internet Explorer is not actively used. + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + ### Technical Details + File locations: | File path | Windows 11 (23H2) | Windows 10 (22H2) | |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\ieapfltr.dll` [4] | โŒ Missing | โŒ Missing | + | `%WINDIR%\System32\ieapfltr.dll` [5] | โŒ Missing | โŒ Missing | | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | โœ… Yes | โœ… Exists | - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + This component is associated with following CLSIDs: + + - `3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30` [5] + - `E48B2549-D510-4A76-8A5F-FC126A6215F0` [2] [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" - [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240828080343/https://strontic.github.io/xcyclopedia/library/clsid_E48B2549-D510-4A76-8A5F-FC126A6215F0.html "CLSID E48B2549-D510-4A76-8A5F-FC126A6215F0 | CLSID_AntiPhishingBrowserSolution | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" call: - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\ieapfltr.dll' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + grantPermissions: 'true' # ๐Ÿ”’๏ธ Likely protected as other files in `%WINDIR%\System32`, not tested due to lack of this file on modern Windows - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable SmartScreen system components docs: |- @@ -18908,31 +19522,30 @@ actions: - name: Disable SmartScreen process docs: |- # refactor-with-variables: โ€ข SmartScreen Caution - This script stops and prevents the `smartscreen.exe` from running. + This script stops the `smartscreen.exe` process and prevents it from running. This process is officially known as *Windows Defender SmartScreen* [1] [2]. It manages the SmartScreen functionality [3] [4]. - Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. - - Disabling SmartScreen improves your privacy because it stops outbound network connections - that transmit your data [5]. - This process runs in the background even when SmartScreen is disabled [3]. + Disabling SmartScreen enhances privacy by preventing outbound network connections that transmit your data [5]. + Even when disabled, SmartScreen continues running in the background [3]. It also improves system performance by reducing CPU usage [6]. - However, disabling SmartScreen process can compromise your security by disabling its protective features. + However, disabling the SmartScreen process may compromise your security by removing its protective features. Additionally, if SmartScreen remains partially enabled after the process is disabled, - it may impair the functionality of Microsoft Store apps [3] [5]. + it may impair the functionality of Microsoft Store apps [3] [5] [7]. - This script will: + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. - - **Terminate the process**: - Stops the `smartscreen.exe` process to prevent it from running. - - **Remove the executable**: - Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + ### Technical Details - > **Caution**: - > - Disabling SmartScreen may reduce your protection against phishing and malware. - > - Disabling this process may prevent Microsoft Store apps from loading. + The executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + + This script will: + + - **Terminate the process**: + Stops the `smartscreen.exe` process to prevent it from running. + - **Remove the executable**: + Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" @@ -18940,6 +19553,7 @@ actions: [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + [7]: https://web.archive.org/web/20240829095739/https://github.com/undergroundwires/privacy.sexy/issues/412 "Disabling SmartScreen causes the OS to open apps very slowly (Solution) ยท Issue #412 ยท undergroundwires/privacy.sexy | github.com" call: - function: TerminateAndBlockExecution @@ -19015,6 +19629,498 @@ actions: parameters: fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + name: Disable SmartScreen integrations + docs: |- + This script disables COM SmartScreen integrations within Windows. + + **SmartScreen** is a security feature that aims to protect your device from harmful applications, + files, and websites by comparing items with a database of known threats [1]. + + **COM (Component Object Model)** objects are software components that let different programs communicate [2]. + These integrations allow SmartScreen to interact with various Windows components [2] [3]. + Disabling these components disrupts SmartScreen's functionality. + + This script improves privacy by: + + - Reducing data collection related to SmartScreen operations + - Limiting the system's ability to scan and report on your activities + + Disabling SmartScreen may improve system performance by: + + - Removing background processes associated with SmartScreen + - Potentially speeding up application launches, especially if SmartScreen is partially disabled [4] + + If other SmartScreen components are already disabled, this script may help maintain system integrity [4]. + + However, disabling these integrations may reduce security by: + + - Limiting the system's ability to detect and prevent malware or phishing attempts [1] + - Disabling protective features that scan downloaded files and warn about unsafe websites [1] + + > **Caution**: + > Disabling SmartScreen integrations may make your system more vulnerable to malware and phishing attacks. + > Consider your personal security needs before applying these changes. + + ### Technical Details + + This script disables several COM interfaces, classes, and applications associated with SmartScreen. + + Key components affected include: + + - SmartScreen event logging and reporting interfaces + - URI (Uniform Resource Identifier) and file reputation services + - Application reputation services + - SmartScreen-related Windows Runtime activatable classes + + The components disabled by this script consist of: + + | Type | Name | ID | + |------|------|------| + | Interface | `IDeferredParametersHandler` [3] | Interface ID: `741baa78-e96f-466c-9ffa-81af5ce4cd59` [3] | + | Interface | `IEventLogger` [3] | Interface ID: `a3104ea9-a816-4fdc-860c-75408a04b686` [3] | + | Interface | `IEventLoggerFactory` [3] | Interface ID: `16ae6386-0aa2-45fc-aab2-f2ee3a0f3188` [3] | + | Interface | `IHtmlContentInfo` [3] | Interface ID: `680d04e6-9661-4ac5-b962-58b112ffa5e6` [3] | + | Interface | `IButtonInfo` [3] | Interface ID: `9ad9b845-b683-493e-8d39-45a56d54617d` [3] | + | Interface | `IVectorView` [3] | Interface ID: `e9444d66-3ff9-5410-8984-f9063f825683` [3] | + | Interface | `IIterable` [3] | Interface ID: `69c26f3c-53aa-56cc-818f-4be79004cd02` [3] | + | Interface | `IIterator` [3] | Interface ID: `60f00258-24f8-5460-bb2d-853a614a50ec` [3] | + | Interface | `IPopupButtonInfo` [3] | Interface ID: `c729ad47-6f3a-46f4-af74-3b5c3311e6ed` [3] | + | Interface | `IUriReputationExperienceInfo` [3] | Interface ID: `7fdde05c-d2db-495b-b06d-4a8d84f3ab99` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `b2b6814f-02c2-5b0c-9e14-159eb77f4462` [3] | + | Interface | `IAsyncOperationCompletedHandler` [3] | Interface ID: `aad9a740-4131-5fe0-9888-c925750b8a99` [3] | + | Interface | `IUriReputationResult` [3] | Interface ID: `1d5bc3a2-a3ff-4517-bb16-25bf18ef7378` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `f84b2c99-2f3d-5877-bf78-4f40f6bd25c0` [3] | + | Interface | `IAsyncOperationCompletedHandle` [3] | Interface ID: `d164f201-3f19-588a-a21e-06c60651d335` [3] | + | Interface | `IUriReputationService` [3] | Interface ID: `a774d785-2808-4471-a254-ab93932b61ea` [3] | + | Interface | `IUriReputationServiceStatics` [3] | Interface ID: `29A3AB33-0FD7-44F5-9BFF-C0B6C081FBFB` [3] | + | Interface | `IUriReputationSettings` [3] | Interface ID: `3474d734-3408-4471-a344-a3439343634a` [3] | + | Interface | `IFileReputationResult` [3] | Interface ID: `48748dc6-576c-47c0-8169-b99cc31a68fe` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `0b3418c4-edbd-5275-a27d-c814665bd20b` [3] | + | Interface | `IAsyncOperationCompletedHandler` [3] | Interface ID: `e406ebb7-b140-562f-bcbc-40f0ef479d38` [3] | + | Interface | `IFileReputationService` [3] | Interface ID: `67e7f99b-1b65-4343-825d-eb17c9681805` [3] | + | Interface | `IAppxPackage` [3] | Interface ID: `56ed2384-8491-4fbc-8f1d-141faf905d85` [3] | + | Interface | `IIterable` [3] | Interface ID: `c4c9b336-6104-586e-b35c-9f9029afb178` [3] | + | Interface | `IIterator` [3] | Interface ID: `235e004e-c711-5d74-8895-25412ca30088` | + | Interface | `IWindow` [3] | Interface ID: `ad6db2cf-0c8d-438b-b25d-9a9a82903b2b` [3] | + | Interface | `IAppReputationService` [3] | Interface ID: `d9dc3975-1062-470a-994c-409151ff8f54` [3] | + | Interface | `IAppReputationServiceStatics` | Interface ID: `343baa78-e34f-466c-9ffa-81af5ce4cd34` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `377f919e-1b1a-5ca1-9ac0-70f57dcf5f61` [3] | + | Interface | `IAsyncOperationCompletedHandler` [3] | Interface ID: `1b988c32-1bc7-52fa-83ba-0b97e79c878b` [3] | + | App | `SmartScreen` [5] | AppId: `a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d` [3] [5] | + | Class | `SmartScreen` [3] [5] | CLSID: `a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d` [3] [4] [5] | + | ActivatableClass | EventLogger | ActivatableClassId: `Windows.Internal.Security.SmartScreen.EventLogger` [3] | + | ActivatableClass | UriReputationService | ActivatableClassId: `Windows.Internal.Security.SmartScreen.UriReputationService` [3] | + | ActivatableClass | AppReputationService | ActivatableClassId: `Windows.Internal.Security.SmartScreen.AppReputationService` [3] | + + [1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830140350/https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model "The Component Object Model - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240912083808/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22621.1_none_1ef7981b13e07576.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22621.1_none_1ef7981b13e07576.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240829095739/https://github.com/undergroundwires/privacy.sexy/issues/412 "Disabling SmartScreen causes the OS to open apps very slowly (Solution) ยท Issue #412 ยท undergroundwires/privacy.sexy | github.com" + [5]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{741baa78-e96f-466c-9ffa-81af5ce4cd59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{741baa78-e96f-466c-9ffa-81af5ce4cd59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{a3104ea9-a816-4fdc-860c-75408a04b686} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{a3104ea9-a816-4fdc-860c-75408a04b686} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{16ae6386-0aa2-45fc-aab2-f2ee3a0f3188} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{16ae6386-0aa2-45fc-aab2-f2ee3a0f3188} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{680d04e6-9661-4ac5-b962-58b112ffa5e6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{680d04e6-9661-4ac5-b962-58b112ffa5e6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{9ad9b845-b683-493e-8d39-45a56d54617d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{9ad9b845-b683-493e-8d39-45a56d54617d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{e9444d66-3ff9-5410-8984-f9063f825683} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{e9444d66-3ff9-5410-8984-f9063f825683} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{69c26f3c-53aa-56cc-818f-4be79004cd02} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{69c26f3c-53aa-56cc-818f-4be79004cd02} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{60f00258-24f8-5460-bb2d-853a614a50ec} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{60f00258-24f8-5460-bb2d-853a614a50ec} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{c729ad47-6f3a-46f4-af74-3b5c3311e6ed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{c729ad47-6f3a-46f4-af74-3b5c3311e6ed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{7fdde05c-d2db-495b-b06d-4a8d84f3ab99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{7fdde05c-d2db-495b-b06d-4a8d84f3ab99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{b2b6814f-02c2-5b0c-9e14-159eb77f4462} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{b2b6814f-02c2-5b0c-9e14-159eb77f4462} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{aad9a740-4131-5fe0-9888-c925750b8a99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{aad9a740-4131-5fe0-9888-c925750b8a99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{1d5bc3a2-a3ff-4517-bb16-25bf18ef7378} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1d5bc3a2-a3ff-4517-bb16-25bf18ef7378} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{f84b2c99-2f3d-5877-bf78-4f40f6bd25c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{f84b2c99-2f3d-5877-bf78-4f40f6bd25c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{d164f201-3f19-588a-a21e-06c60651d335} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{d164f201-3f19-588a-a21e-06c60651d335} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{a774d785-2808-4471-a254-ab93932b61ea} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{a774d785-2808-4471-a254-ab93932b61ea} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{29A3AB33-0FD7-44F5-9BFF-C0B6C081FBFB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{29A3AB33-0FD7-44F5-9BFF-C0B6C081FBFB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{3474d734-3408-4471-a344-a3439343634a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{3474d734-3408-4471-a344-a3439343634a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{48748dc6-576c-47c0-8169-b99cc31a68fe} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{48748dc6-576c-47c0-8169-b99cc31a68fe} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0b3418c4-edbd-5275-a27d-c814665bd20b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0b3418c4-edbd-5275-a27d-c814665bd20b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{e406ebb7-b140-562f-bcbc-40f0ef479d38} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{e406ebb7-b140-562f-bcbc-40f0ef479d38} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{67e7f99b-1b65-4343-825d-eb17c9681805} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{67e7f99b-1b65-4343-825d-eb17c9681805} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{56ed2384-8491-4fbc-8f1d-141faf905d85} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{56ed2384-8491-4fbc-8f1d-141faf905d85} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{c4c9b336-6104-586e-b35c-9f9029afb178} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{c4c9b336-6104-586e-b35c-9f9029afb178} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{235e004e-c711-5d74-8895-25412ca30088} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{235e004e-c711-5d74-8895-25412ca30088} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{ad6db2cf-0c8d-438b-b25d-9a9a82903b2b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{ad6db2cf-0c8d-438b-b25d-9a9a82903b2b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{d9dc3975-1062-470a-994c-409151ff8f54} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{d9dc3975-1062-470a-994c-409151ff8f54} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{343baa78-e34f-466c-9ffa-81af5ce4cd34} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{343baa78-e34f-466c-9ffa-81af5ce4cd34} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{377f919e-1b1a-5ca1-9ac0-70f57dcf5f61} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{377f919e-1b1a-5ca1-9ac0-70f57dcf5f61} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{1b988c32-1bc7-52fa-83ba-0b97e79c878b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1b988c32-1bc7-52fa-83ba-0b97e79c878b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppId\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.EventLogger + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.UriReputationService + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - name: Disable outdated SmartScreen settings interface docs: |- # refactor-with-variables: โ€ข SmartScreen Caution @@ -19122,479 +20228,2273 @@ actions: [9]: https://web.archive.org/web/20240819080607/https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr "Microsoft Defender XDR | Microsoft Security | www.microsoft.com" children: - - name: Disable "Windows Security Service" service + category: Disable Defender interface background services docs: |- - This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. - This service provides unified device protection and health information [2] [3]. + This category provides scripts to disable background services supporting Defender interface elements. + These services enable real-time updates and interactions with Defender's security features. - It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. - Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. - By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + Disabling these services may: - The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + - Reduce system resource usage + - Minimize background processes related to the Defender interface + - Limit potential data collection associated with Defender's user interface - ### Overview of default service statuses + However, this action may also: - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸข Running | Manual | - | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | + - Prevent certain security notifications from appearing + - Limit your ability to interact with Defender through its standard interface + - Reduce awareness of important security events - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" - [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" - [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states - call: - - - # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry - parameters: - serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - elevateToTrustedInstaller: 'true' - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - - - category: Disable Defender user interface + > **Caution:** + > - Disabling these services may reduce visibility into your system's security status while + > core Defender functionalities remain intact. + > - Consider alternative methods to monitor system security and maintain good security practices. children: - - name: Remove "Windows Security" system tray icon - docs: |- - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray - valueName: HideSystray - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - name: Remove "Scan with Defender" from context menu + name: Disable "Windows Security" status reporting integrations docs: |- - This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. - Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. + This script disables the Windows Security APIs, which are used by Windows and third-party security + software to report system security status. - Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. + These APIs are known as **Windows Security APIs** [1], or **Windows Security Center APIs** [2]. + They allow security software to communicate with the Windows Security app [1]. + This app monitors the system's security status and provides alerts about potential vulnerabilities [1]. - > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. + Disabling these APIs can improve privacy by preventing the collection and reporting of security-related + system information. + It may also enhance system performance by reducing background processes. - ### Technical Details + However, disabling these APIs has significant trade-offs: + + - **Reduced security awareness:** + You won't receive alerts about potential security issues through the Windows Security app. + - **Impaired functionality of security software:** + Third-party security solutions may lose their ability to report status to Windows Security without these APIs. - The script functions by altering specific registry keys that correspond to the Defender context menu option. - It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. - The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + > **Caution:** + > Disabling these APIs may reduce your system's ability to detect and respond to security threats. - The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. - This feature is provided by `shellext.dll` file located in Defender's program files [1]. + ### Technical Details - [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" - [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + This script removes several components of the Windows Security APIs, including: + + | Type | Name | Identifier / Location | + |-----------|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------| + | DLL | Windows Security Center ISV API [3] | `%SYSTEMROOT%\SysWOW64\wscisvif.dll` [3], `%SYSTEMROOT%\system32\wscisvif.dll` [4] [5] | + | DLL | Windows Security Center API [6] | `%SYSTEMROOT%\System32\wscapi.dll` [4] [7] [8], `%SYSTEMROOT%\SysWOW64\WSCAPI.dll` [8] | + | DLL | Windows Security Center ISV Proxy Stub [4] [9] [10] | `%SYSTEMROOT%\system32\wscproxystub.dll` [4] [9] [11], `%SYSTEMROOT%\SysWOW64\wscproxystub.dll` [10] | + | CLSID | Windows Security Center ISV API [4] [5] | `F2102C37-90C3-450C-B3F6-92BE1693BDF2` [4] [5] | + | CLSID | WscToastActivationHandler [4] [7] | `D5F7E36B-5B38-445D-A50F-439B8FCBB87A` [4] [7] | + | CLSID | WSCDefaultProduct [4] [6] | `2981a36e-f22d-11e5-9ce9-5e5517507c66` [4] [6] | + | CLSID | WSCProductList [4] [12] | `17072F7B-9ABE-4A74-A261-1EB76B55107A` [4] [12] | + | CLSID | WscIsvIf Proxy Stub [4] [11] [13] | `7E66DBEF-2474-4E82-919B-9A855F4C2FE8` [4] [11] [13] | + | CLSID | PSFactoryBuffer [4] [14] | `8C38232E-3A45-4A27-92B0-1A16A975F669` [4] [14] | + | TypeLib | wscAPI 1.0 Type Library [4] | `B52A4496-7753-4F74-BE64-C2072E308122` [12] | + | Class | WSCProductList [4] | `wscAPI.WSCProductList` [4], `wscAPI.WSCProductList.1` [4] | + | Class | WSCDefaultProduct [4] | `wscAPI.WSCDefaultProduct` [4] | + | Interface | IWscProduct [4] | `8C38232E-3A45-4A27-92B0-1A16A975F669` [4] | + | Interface | IWscProduct2 [4] | `F896CA54-FE09-4403-86D4-23CB488D81D8` [4] | + | Interface | IWscProduct3 [4] | `55536524-D1D1-4726-8C7C-04996A1904E7` [4] | + | Interface | IWSCProductList [4] | `722A338C-6E8E-4E72-AC27-1417FB0C81C2` [4] | + | Interface | IWSCDefaultProduct [4] | `0476d69c-f21a-11e5-9ce9-5e5517507c66` [4] | + | Interface | IWscSecurityProductStatus [4] | `A61406C1-997B-4a4b-B622-AA7DACA6D575` [4] | + | Interface | IWscAVStatus [4] | `3901A765-AB91-4ba9-A553-5B8538DEB840` [4] | + | Interface | IWscAVStatus2 [4] | `206D9C96-ACDF-484B-833E-DEB914565E44` [4] | + | Interface | IWscAVStatus3 [4] | `CF007CA2-F5E3-11E5-9CE9-5E5517507c66` [4] | + | Interface | IWscAVStatus4 [4] | `4DCBAFAC-29BA-46B1-80FC-B8BDE3C0AE4D` [4] | + | Interface | IWscFWStatus [4] | `9B8F6C6E-8A4A-4891-AF63-1A2F50924040` [4] | + | Interface | IWscFWStatus2 [4] | `62F698CB-094A-4C68-9419-8E8C49420E59` [4] | + | Interface | IWscASStatus [4] | `024E9756-BA6C-4ad1-8321-87BAE78FD0E3` [4] | + + [1]: https://web.archive.org/web/20240831162506/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831162607/https://learn.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider "WSC_SECURITY_PROVIDER (wscapi.h) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240831162317/https://strontic.github.io/xcyclopedia/library/wscisvif.dll-82BBB18EB8507C8355A97D1E91A3C5F7.html "wscisvif.dll | Windows Security Center ISV API | STRONTIC | strontic.github.io" + [4]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240831162331/https://strontic.github.io/xcyclopedia/library/clsid_F2102C37-90C3-450C-B3F6-92BE1693BDF2.html "CLSID F2102C37-90C3-450C-B3F6-92BE1693BDF2 | Windows Security Center ISV API | STRONTIC | strontic.github.io" + [6]: https://web.archive.org/web/20240831161909/https://strontic.github.io/xcyclopedia/library/clsid_2981a36e-f22d-11e5-9ce9-5e5517507c66.html "CLSID 2981a36e-f22d-11e5-9ce9-5e5517507c66 | WSCDefaultProduct Class | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240831162350/https://strontic.github.io/xcyclopedia/library/clsid_D5F7E36B-5B38-445D-A50F-439B8FCBB87A.html "CLSID D5F7E36B-5B38-445D-A50F-439B8FCBB87A | CLSID_WscToastActivationHandler | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240831164737/https://systemexplorer.net/file-database/file/wscapi-dll "What is wscapi.dll ? | System Explorer | systemexplorer.net" + [9]: https://web.archive.org/web/20240831162431/https://strontic.github.io/xcyclopedia/library/wscproxystub.dll-FDA3D0A7A55CC2AAFAFDDACCDAEDACA1.html "wscproxystub.dll | Windows Security Center ISV Proxy Stub | STRONTIC | strontic.github.io" + [10]: https://web.archive.org/web/20240901102406/https://strontic.github.io/xcyclopedia/library/wscproxystub.dll-D132D30182A8E0CD87C6AA66B7773E08.html "CLSID 8C38232E-3A45-4A27-92B0-1A16A975F669 | PSFactoryBuffer | STRONTIC | strontic.github.io" + [11]: https://web.archive.org/web/20240831163052/https://strontic.github.io/xcyclopedia/library/clsid_7E66DBEF-2474-4E82-919B-9A855F4C2FE8.html "CLSID 7E66DBEF-2474-4E82-919B-9A855F4C2FE8 | WscIsvIf Proxy Stub | STRONTIC | strontic.github.io" + [12]: https://web.archive.org/web/20240831162716/https://strontic.github.io/xcyclopedia/library/clsid_17072F7B-9ABE-4A74-A261-1EB76B55107A.html "CLSID 17072F7B-9ABE-4A74-A261-1EB76B55107A | WSCProductList Class | STRONTIC | strontic.github.io" + [13]: https://web.archive.org/web/20240831162454/https://wikileaks.org/ciav7p1/cms/page_13762803.html "CLSIDs Windows 7 Professional x86 With Office 2010 | wikileaks.org" + [14]: https://web.archive.org/web/20240831165209/https://strontic.github.io/xcyclopedia/library/clsid_8C38232E-3A45-4A27-92B0-1A16A975F669.html "CLSID 8C38232E-3A45-4A27-92B0-1A16A975F669 | PSFactoryBuffer | STRONTIC | strontic.github.io" call: - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' - # Windows 10 (โ‰ฅ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: ThreadingModel - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' - # Windows 10 (โ‰ฅ 22H2) : Apartment (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : Apartment (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: 'Apartment' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - name: Remove "Windows Security" icon from taskbar + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\wscisvif.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\wscisvif.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{F2102C37-90C3-450C-B3F6-92BE1693BDF2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{F2102C37-90C3-450C-B3F6-92BE1693BDF2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{D5F7E36B-5B38-445D-A50F-439B8FCBB87A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{D5F7E36B-5B38-445D-A50F-439B8FCBB87A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\wscapi.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\wscapi.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{2981a36e-f22d-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{2981a36e-f22d-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{17072F7B-9ABE-4A74-A261-1EB76B55107A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{17072F7B-9ABE-4A74-A261-1EB76B55107A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\TypeLib\{B52A4496-7753-4F74-BE64-C2072E308122} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{B52A4496-7753-4F74-BE64-C2072E308122} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\wscAPI.WSCProductList + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\wscAPI.WSCProductList.1 + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\wscAPI.WSCDefaultProduct + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{7E66DBEF-2474-4E82-919B-9A855F4C2FE8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{7E66DBEF-2474-4E82-919B-9A855F4C2FE8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\wscproxystub.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\wscproxystub.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{F896CA54-FE09-4403-86D4-23CB488D81D8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{F896CA54-FE09-4403-86D4-23CB488D81D8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{55536524-D1D1-4726-8C7C-04996A1904E7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{55536524-D1D1-4726-8C7C-04996A1904E7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{722A338C-6E8E-4E72-AC27-1417FB0C81C2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{722A338C-6E8E-4E72-AC27-1417FB0C81C2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0476d69c-f21a-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0476d69c-f21a-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{A61406C1-997B-4a4b-B622-AA7DACA6D575} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{A61406C1-997B-4a4b-B622-AA7DACA6D575} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{3901A765-AB91-4ba9-A553-5B8538DEB840} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{3901A765-AB91-4ba9-A553-5B8538DEB840} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{206D9C96-ACDF-484B-833E-DEB914565E44} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{206D9C96-ACDF-484B-833E-DEB914565E44} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{CF007CA2-F5E3-11E5-9CE9-5E5517507C66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{CF007CA2-F5E3-11E5-9CE9-5E5517507C66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{4DCBAFAC-29BA-46B1-80FC-B8BDE3C0AE4D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{4DCBAFAC-29BA-46B1-80FC-B8BDE3C0AE4D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{9B8F6C6E-8A4A-4891-AF63-1A2F50924040} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{9B8F6C6E-8A4A-4891-AF63-1A2F50924040} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{62F698CB-094A-4C68-9419-8E8C49420E59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{62F698CB-094A-4C68-9419-8E8C49420E59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{024E9756-BA6C-4ad1-8321-87BAE78FD0E3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{024E9756-BA6C-4ad1-8321-87BAE78FD0E3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Shell Service docs: |- - This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 - and was originally named "Windows Defender Security Center" [1]. + This script disables a system service that operates in the background, monitoring your device and + providing security notifications. - The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + This service is named **Defender Shell Service** [1], also referred to as **Security Health SSO** [2]. + It is a component of ***Windows Security** [3] (formerly **Windows Defender Security Center** [4]). + It operates in the background, scanning your device for threats and sending notifications as necessary [3]. + The service is associated with the `SecurityHealthSystray.exe` process, which manages system tray + functionality for Windows Security [3] [5]. + The system tray, or notification area, is part of the Windows taskbar at the bottom-right corner of the screen [6]. - The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 - and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. + Disabling this service may enhance your privacy by reducing background monitoring. + It also improves system performance by stopping a continuously running process. + However, it may decrease your system's security by disabling a key component of Windows Security. + Disabling this component, even while other Windows Security features remain active, may lead to system errors + such as error code `0xc000012f` [3] [5]. - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" - [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" - call: - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - valueName: SecurityHealth - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' - # Windows 10 (โ‰ฅ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - dataTypeOnRevert: REG_EXPAND_SZ - dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' - - - name: Disable Defender Antivirus interface - docs: |- - This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially - preventing user interactions with the Microsoft Defender Antivirus interface. - - Several reasons to hide the antivirus interface: - - 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing - its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more - in control of their data when they aren't constantly reminded of a running security service. - 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. - Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share - more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. - 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender - Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to - a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently - triggering options that might share data. - 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface - but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that - access has been restricted by the system administrator [2]. - - The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the - `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. - - [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" - [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + > **Caution:** Disabling this service may weaken your computer's security and could result in system errors. + + ### Technical Details + + This script removes the following CLSIDs and associated files: + + | CLSID | Windows 10 Pro (โ‰ฅ 22H2) | Windows 11 Pro (โ‰ฅ 23H2) | + | ---- | ----------------------- | ----------------------- | + | `E3C9166D-1D39-4D4E-A45D-BC7BE9B00578` [5] | Missing | `%SYSTEMROOT%\System32\SecurityHealth\\SecurityHealthSSO.dll` [3] [5] | + | `6D40A6F9-3D32-4FCB-8A86-BE992E03DC76` [2] | `%SYSTEMROOT%\System32\SecurityHealthSSO.dll` [2] | Missing | + + It also removes these files: + + | File | Windows 10 Pro (โ‰ฅ 22H2) | Windows 11 Pro (โ‰ฅ 23H2) | + | ---- | ----------------------- | ----------------------- | + | `%SYSTEMROOT%\System32\SecurityHealth\\SecurityHealthSSO.dll` | โŒ Missing | โœ… Exists | + | `%SYSTEMROOT%\System32\SecurityHealthSSO.dll` [1] [2] | โŒ Missing | โœ… Exists | + + [1]: https://web.archive.org/web/20240829161045/https://strontic.github.io/xcyclopedia/library/SecurityHealthSSO.dll-3C4BE8F167045062380124D2D5BE8C1B.html "SecurityHealthSSO.dll | Security Health SSO | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240829161040/https://strontic.github.io/xcyclopedia/library/clsid_6D40A6F9-3D32-4FCB-8A86-BE992E03DC76.html "CLSID 6D40A6F9-3D32-4FCB-8A86-BE992E03DC76 | CLSID_DefenderShellServiceObject | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240829161005/https://www.thewindowsclub.com/securityhealthsystray-exe-bad-image-what-is-it "SecurityHealthSystray.exe Bad Image; What is it? | www.thewindowsclub.com" + [4]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [5]: https://web.archive.org/web/20240829161012/https://oshibaetsya.ru/securityhealthsystray-exe-oshibka/ "Securityhealthsystray exe ะพัˆะธะฑะบะฐ - ะะต ะพัˆะธะฑะฐะตั‚ัั ะปะธัˆัŒ ั‚ะพั‚, ะบั‚ะพ ะฝะธั‡ะตะณะพ ะฝะต ะดะตะปะฐะตั‚! | oshibaetsya.ru" + [6]: https://web.archive.org/web/20240829161654/https://learn.microsoft.com/en-us/windows/win32/shell/notification-area "Notifications and the Notification Area - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578} + elevateToTrustedInstaller: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{6D40A6F9-3D32-4FCB-8A86-BE992E03DC76} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthSSO.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealth\*\SecurityHealthSSO.dll' + grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + minimumWindowsVersion: Windows11-FirstRelease - - name: Disable non-administrator access to Defender threat history + name: Disable "Windows Security Service" service docs: |- - This script disables privacy mode for Defender scans, limiting threat history access to administrators. + This script disables the Windows Security Service, a component that manages + various Windows security features. + + This service is known as **Windows Security Service** [1], `SecurityHealthService` [2] + or **Windows Security Health Service** [2] [3]. + It provides device protection and system health information [1] [3]. + + This service is part of the **Windows Security** interface [2] [4]. + **Windows Security** is a centralized interface managing various Windows security features [5]. + In earlier Windows versions, this interface was called **Security Center** [5]. - By default, privacy mode is enabled [1]. - When active, it restricts the display of spyware and potentially dangerous programs to administrators only, - instead of all users on the computer [2]. - It blocks non-administrators from viewing threat history [1]. + This service is also a component of **Defender for Endpoint** and **Defender Antivirus** [4]. + However, disabling this service does not affect the functionality of Defender Antivirus [2]. - This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. - It has no impact on current platforms [1]. + Disabling this service may enhance privacy by limiting data collection related to system security. + It may also improve system performance by preventing the service from running in the background. + However, it may decrease security by disabling the Windows Security interface and restricting access + to security information. - Limiting threat history to administrators has both benefits and drawbacks. - It improves security and privacy by limiting access to sensitive threat information. - However, it may reduce transparency and hinder security efforts for users without admin access who need this data. + > **Caution**: + > Disabling this service may prevent you from accessing Windows Security features and + > receiving important security notifications. + + ### Technical Details + + The **Windows Security** interface relies on this service [2]. - The script configures: + By default, Windows is set to start this service manually [1]. + Although tests indicate it runs automatically on Windows 10 and 11. - 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. - It sets the value to `$True`, effectively disabling privacy mode [1]. + The service is located at `%SYSTEMROOT%\System32\SecurityHealthService.exe` [1] [3] [6] - 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. - This undocumented registry key has been verified to work on older Windows versions by the community [2]. + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸข Running | Manual | + | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | - [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "ะกะพั„ั‚ | ะกะตะบั€ะตั‚ั‹ Windows 7 | www.win7help.ru" - [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + [1]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [2]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + [5]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [6]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" call: - - function: SetMpPreference + # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + elevateToTrustedInstaller: 'true' - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: "DisablePrivacyMode" - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โŒ Windows 10 Pro (>= 20H2) | โŒ Windows 11 Pro (>= 23H2) + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 22H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthService.exe' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - - category: Disable sections in "Windows Security" + name: Disable "Windows Security Service" interactions docs: |- - This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in - Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + This script disables the Security Health Service's COM objects, which prevents + the Windows Security Center from running. - "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display - in a restricted mode [1]. + Security Health Service is also known as **Windows Security Service** [1] [2] + or **Windows Security Health Service** [1] [2] [3]. + It is a fundamental component of Windows security features [3]. - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - children: + The script disables various Component Object Model (COM) objects related to + this service. + **COM (Component Object Model)** is a system enabling interaction between software + components in Windows [4]. + + Disabling these components may enhance your privacy by limiting the system's ability + to monitor and report on your computer's security status. + It may also improve system performance by preventing these services from running in + the background. + + However, disabling these components may lower your system's overall security. + This script does not directly disable Defender Antivirus or Defender Firewall [3]. + But it may prevent Windows from alerting you about potential security issues or + threats. + + > **Caution**: + > Disabling these components may increase your system's vulnerability to security threats + > and prevent you from receiving important security notifications + + ### Technical Details + + The script disables the following COM objects: + + - Security Health Service (AppID: `2EB6D15C-5239-41CF-82FB-353D20B816CF`) [1] [5] + - Defender Pua Shield Class (CLSID: `F6976CF5-68A8-436C-975A-40BE53616D59`) [6] + - Threat Protection Shield Class (CLSID: `CC66E708-C687-42EA-806E-83D41C9D1A5F`) [5] [7] + - Defender Shield Class (CLSID: `8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0`) [5] [8] + - Dashboard Class (CLSID: `F99A566C-42AE-4DE2-AD4D-D297A04C5433`) [5] [9] + - Health Advisor Shield Class (CLSID: `470B9B9B-0E95-4963-B265-5D58E5808C3D`) [5] [10] + - Shield Process Launcher Class (CLSID: `2D15188C-D298-4E10-83B2-64666CCBEBBD`) [5] [11] + - App and Browser Shield Class (CLSID: `816A45F9-7406-42BB-B4FA-A655D96F2A8A`) [5] [12] + - Account Protection Shield Class (CLSID: `2557a77e-882d-4633-960e-0c718670c1c7`) [13] + - Data Protection Shield Class (CLSID: `1B48339C-D15E-45F3-AD55-A851CB66BE6B`) [14] + - Exploit Shield Class (CLSID: `A2A6D7C6-ECBD-439E-9244-9E784608439F`) [5] [15] + - Management Shield Class (CLSID: `434AEC1C-8583-45EC-B88F-750D6F380BC3`) [5] [16] + - Shield Provider Toast Class (CLSID: `D6B0D1EB-456E-48FF-A3E3-F393C74B85DB`) [5] [17] + - Hardware Shield Class (CLSID: `EDAE4045-CAE6-4706-8973-FA69715B8C10`) [18] + - OS Protection Shield Class (CLSID: `5CF41123-E9E6-4AC0-85A7-C4001F513C6A`) [19] + - Application Guard Shield Class (CLSID: `BD8A8E7D-E42F-434A-8215-C7ECB6C32786`) [20] + - ForceField Web Protection Shield Class (CLSID: `47782907-6A6D-44BC-8872-4E45E994E6F9`) [21] + + These objects are core components of the Windows Security Health Service [5]. + They are used by `SecurityHealthCore.dll` [1] and `SecurityHealthService.exe` [22]. + + [1]: https://archive.ph/2024.08.30-134307/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthCore.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | 10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [2]: https://web.archive.org/web/20240830134503/https://github.com/privacysexy-forks/windows-com-objects/blob/ff00b455604546b70c8bb7c200823332af96e641/Data/CASE_Windows11_21H2/comx64/comAppId.csv "windows-com-objects/Data/CASE_Windows11_21H2/comx64/comAppId.csv at ff00b455604546b70c8bb7c200823332af96e641 ยท privacysexy-forks/windows-com-objects | github.com" + [3]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [4]: https://web.archive.org/web/20240830140350/https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model "The Component Object Model - Win32 apps | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240829090053/https://github.com/privacysexy-forks/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/README.md "juicy-potato/CLSID/Windows_10_Enterprise/README.md at master ยท privacysexy-forks/juicy-potato | github.com" + [6]: https://web.archive.org/web/20240830133815/https://strontic.github.io/xcyclopedia/library/clsid_F6976CF5-68A8-436C-975A-40BE53616D59.html "CLSID F6976CF5-68A8-436C-975A-40BE53616D59 | Defender Pua Shield Class | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240830133850/https://strontic.github.io/xcyclopedia/library/clsid_CC66E708-C687-42EA-806E-83D41C9D1A5F.html "CLSID CC66E708-C687-42EA-806E-83D41C9D1A5F | Threat Protection Shield Class | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240830133934/https://strontic.github.io/xcyclopedia/library/clsid_8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0.html "CLSID 8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0 | Defender Shield Class | STRONTIC | strontic.github.io" + [9]: https://web.archive.org/web/20240830133817/https://strontic.github.io/xcyclopedia/library/clsid_F99A566C-42AE-4DE2-AD4D-D297A04C5433.html "CLSID F99A566C-42AE-4DE2-AD4D-D297A04C5433 | Dashboard Class | STRONTIC | strontic.github.io" + [10]: https://web.archive.org/web/20240830133835/https://strontic.github.io/xcyclopedia/library/clsid_470B9B9B-0E95-4963-B265-5D58E5808C3D.html "CLSID 470B9B9B-0E95-4963-B265-5D58E5808C3D | Health Advisor Shield Class | STRONTIC | strontic.github.io" + [11]: https://web.archive.org/web/20240830133909/https://strontic.github.io/xcyclopedia/library/clsid_2D15188C-D298-4E10-83B2-64666CCBEBBD.html "CLSID 2D15188C-D298-4E10-83B2-64666CCBEBBD | Shield Process Launcher Class | STRONTIC | strontic.github.io" + [12]: https://web.archive.org/web/20240830134053/https://strontic.github.io/xcyclopedia/library/clsid_816A45F9-7406-42BB-B4FA-A655D96F2A8A.html "CLSID 816A45F9-7406-42BB-B4FA-A655D96F2A8A | App and Browser Shield Class | STRONTIC | strontic.github.io" + [13]: https://web.archive.org/web/20240830134049/https://strontic.github.io/xcyclopedia/library/clsid_2557a77e-882d-4633-960e-0c718670c1c7.html "CLSID 2557a77e-882d-4633-960e-0c718670c1c7 | Account Protection Shield Class | STRONTIC | strontic.github.io" + [14]: https://web.archive.org/web/20240830134101/https://strontic.github.io/xcyclopedia/library/clsid_1B48339C-D15E-45F3-AD55-A851CB66BE6B.html "CLSID 1B48339C-D15E-45F3-AD55-A851CB66BE6B | Data Protection Shield Class | STRONTIC | strontic.github.io" + [15]: https://web.archive.org/web/20240830134116/https://strontic.github.io/xcyclopedia/library/clsid_A2A6D7C6-ECBD-439E-9244-9E784608439F.html "CLSID A2A6D7C6-ECBD-439E-9244-9E784608439F | Exploit Shield Class | STRONTIC | strontic.github.io" + [16]: https://web.archive.org/web/20240830134135/https://strontic.github.io/xcyclopedia/library/clsid_434AEC1C-8583-45EC-B88F-750D6F380BC3.html "CLSID 434AEC1C-8583-45EC-B88F-750D6F380BC3 | Management Shield Class | STRONTIC | strontic.github.io" + [17]: https://web.archive.org/web/20240830134148/https://strontic.github.io/xcyclopedia/library/clsid_D6B0D1EB-456E-48FF-A3E3-F393C74B85DB.html "CLSID D6B0D1EB-456E-48FF-A3E3-F393C74B85DB | Shield Provider Toast Class | STRONTIC | strontic.github.io" + [18]: https://web.archive.org/web/20240830134524/https://strontic.github.io/xcyclopedia/library/clsid_EDAE4045-CAE6-4706-8973-FA69715B8C10.html "CLSID EDAE4045-CAE6-4706-8973-FA69715B8C10 | Hardware Shield Class | STRONTIC | strontic.github.io" + [19]: https://web.archive.org/web/20240830134415/https://strontic.github.io/xcyclopedia/library/clsid_5CF41123-E9E6-4AC0-85A7-C4001F513C6A.html "CLSID 5CF41123-E9E6-4AC0-85A7-C4001F513C6A | OS Protection Shield Class | STRONTIC | strontic.github.io" + [20]: https://web.archive.org/web/20240830134433/https://strontic.github.io/xcyclopedia/library/clsid_BD8A8E7D-E42F-434A-8215-C7ECB6C32786.html "CLSID BD8A8E7D-E42F-434A-8215-C7ECB6C32786 | Application Guard Shield Class | STRONTIC | strontic.github.io" + [21]: https://web.archive.org/web/20240830134440/https://strontic.github.io/xcyclopedia/library/clsid_47782907-6A6D-44BC-8872-4E45E994E6F9.html "CLSID 47782907-6A6D-44BC-8872-4E45E994E6F9 | ForceField Web Protection Shield Class | STRONTIC | strontic.github.io" + [22]: https://web.archive.org/web/20240830134010/https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/SecurityHealthService.exe.strings "10_0_19045_2251/C/Windows/System32/SecurityHealthService.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf ยท privacysexy-forks/10_0_19045_2251 | github.com" + call: - - name: Disable "Virus and threat protection" section in "Windows Security" - docs: |- - - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2EB6D15C-5239-41CF-82FB-353D20B816CF} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Ransomware data recovery" section in "Windows Security" - docs: |- - [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: HideRansomwareRecovery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Family options" section in "Windows Security" - docs: |- - - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Device performance and health" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Account protection" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "App and browser control" section in "Windows Security" - docs: |- - - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2557a77e-882d-4633-960e-0c718670c1c7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Windows Security Health Agent (WSHA) + docs: |- + This script disables the Windows Security Health Agent (WSHA). + + WSHA is a component that transmits a client's security health state to a network policy server [1]. + It sends a summary of Windows Update-related information [2]. + This data transmission may raise privacy concerns for users who wish to limit the information shared + with Microsoft or network administrators. + + By disabling WSHA, this script improves privacy by preventing the automatic sending of system health + and update information. + It may also slightly increase system performance by reducing background processes. + + However, disabling WSHA may reduce security by limiting the ability of network administrators to assess and maintain + the security health of connected devices. This could potentially leave systems more vulnerable to threats. + + > **Caution**: + > Disabling this agent may interfere with your organization's security policies and leave your system more vulnerable to threats. + + ### Technical Details + + The Windows Security Health Agent is implemented through the library file + located at `%SYSTEMROOT%\System32\SecurityHealthAgent.dll` [3] [4]. + + [1]: https://web.archive.org/web/20240912124329/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsh/9ffadcf7-7713-4bf1-a0ca-2e52b116a0dc "[MS-WSH]: Overview | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240912124342/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsh/2dbd4726-63e8-425c-bd74-9994158b3dd5 "[MS-WSH]: Relationship with the Windows Update Client-Server Protocol | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240912124500/https://strontic.github.io/xcyclopedia/library/SecurityHealthAgent.dll-9C23672E9D8F134424DEA1BE93303BD1.html "SecurityHealthAgent.dll | Windows Security Health Agent | STRONTIC | strontic.github.io" + call: + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthAgent.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + name: Disable Windows Security Health Core + docs: |- + This script disables the Windows Security Health Core component. + + Windows Security Health Core is a system library that manages security settings, monitors + system integrity, and interfaces with various security features [2] [3]. + It provides status information to both the system and users, handling security-related + Windows services [3]. + + Disabling this component may enhance privacy by limiting the system's monitoring and reporting + of security-related activities. + It may slightly improve system performance by removing background processes related to security + monitoring. + + However, this action may significantly reduce system security by disabling essential security + features and monitoring. + This can make your system more vulnerable to threats and malware. + + > **Caution**: + > Disabling this component weakens Windows security monitoring, potentially leaving your system + > exposed to undetected threats. + + ### Technical Details + + The script removes the library file located at `%SYSTEMROOT%\System32\SecurityHealthCore.dll` [1]. + + [1]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240912131843/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthCore.dll.coff "10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://web.archive.org/web/20240912131842/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthCore.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + call: + function: SoftDeleteFiles + parameters: + # Availability: ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthCore.dll' + grantPermissions: 'true' + minimumWindowsVersion: Windows11-FirstRelease + - + name: Disable Windows Security Health UDK + docs: |- + This script disables the Windows Security Health UDK component. + + The **Windows Security Health UDK** is a core library that manages key aspects of **Windows Security** [1] [2]. + UDK stands for *Undocked Developer Kit* [3], *Undocked Dev Kit* [4], *Windows UDK* [3] [4]. + It's also referred to as *Undocked Shell* [5]. + It coordinates shell experiences (user interfaces) [6] and adds new features to the Windows desktop + independently of full system updates [5]. + + This component's key functions include: + + - Providing security-related services [1] + - Managing security policies [1] [2] + - Gathering system information [1] [2] + - Handling event logging [1] [2] + - Performing cryptographic operations [1] + - Managing user accounts and sessions [1] [2] + - Supporting Windows Defender features [1] [2] + - Managing containerization and virtualization [1] [2] + - Configuring firewall settings [2] + + This script may enhance privacy by limiting the system's ability to collect and process security-related data. + It may also increase system performance by reducing background processes related to security monitoring. + + However, disabling this component may significantly weaken your system's security. + According to community reports, it may disable the Windows Security background service and interface [7]. + This may leave your system more vulnerable to threats. + + > **Caution**: + > This action may expose your system to additional security threats, especially if you're unfamiliar + > with security management. + + ### Technical Details + + The library is located at `%SYSTEMROOT%\System32\SecurityHealthUdk.dll` [1] [2] [8]. + + [1]: https://web.archive.org/web/20240919114317/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthUdk.dll.coff "10_0_22622_601/C/Windows/System32/SecurityHealthUdk.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [2]: https://web.archive.org/web/20240919114426/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthUdk.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthUdk.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://web.archive.org/web/20240321102101/https://www.dllme.com/dll/files/windowsudk_shellcommon "windowsudk.shellcommon.dll : Free .DLL download. - DLLme.com | www.dllme.com" + [4]: https://web.archive.org/web/20240321102221/https://strontic.github.io/xcyclopedia/library/windowsudk.shellcommon.dll-AA8B2A24FBC79C2F491B4A527B4A9A42.html "windowsudk.shellcommon.dll | Windows Undocked Dev Kit Shellcommon DLL | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240321105425/https://mspoweruser.com/latest-windows-10-20h1-preview-build-shows-microsoft-is-making-the-windows-10-shell-piecemeal-upgradable/ "Latest Windows 10 20H1 Preview Build shows Microsoft is making the Windows 10 Shell piecemeal upgradable - MSPoweruser | mspoweruser.com" + [6]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240912134346/https://answers.microsoft.com/en-us/windows/forum/all/windows-security-service-set-to-manual-start-with/cadb3956-7291-4213-ab32-cb011ee3388e "Windows Security Service set to manual start, with no option to switch - Microsoft Community | answers.microsoft.com" + [8]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: + function: SoftDeleteFiles + parameters: + # Availability: ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthUdk.dll' + grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + minimumWindowsVersion: Windows11-FirstRelease + - + name: Disable "Windows Security Health Host" process + docs: |- + This script disables the Windows Security Health Host. + + The Windows Security Health Host monitors and reports on the Windows operating system's security status [1] [2]. + It continuously checks system security aspects like Defender antivirus, firewall status, and the presence of the latest security patches [2]. + It automatically starts with Windows and runs in the background [2]. + + By disabling this process, the script may improve privacy by preventing the constant monitoring and reporting of system security status. + It may also increase system performance by eliminating the background process. + + However, this action may reduce system security. + Without the Security Health Host, **Windows Security** can't effectively monitor or report on the system's security health [1]. + **Windows Security** is a built-in Windows feature that offers a unified interface for various security products, including Defender antivirus [3]. + + > **Caution**: Disabling this feature may leave your system vulnerable to security threats without your knowledge. + + ### Technical Details + + This script removes the executable file `SecurityHealthHost.exe` from the `%SYSTEMROOT%\System32` directory [2] [4] [5]. + It also prevents any future execution of the `SecurityHealthHost.exe` process. + + [1]: https://web.archive.org/web/20240912171920/https://www.file.net/process/securityhealthhost.exe.html "SecurityHealthHost.exe Windows process - What is it? | www.file.net" + [2]: https://web.archive.org/web/20230708061253/https://malwaretips.com/blogs/securityhealthhost-exe/ "SecurityHealthHost.exe - Is SecurityHealthHost.exe Safe Or Malware? | malwaretips.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240912171905/https://strontic.github.io/xcyclopedia/library/SecurityHealthHost.exe-672C2568647CE3A4F06A1CB466490AB7.html "SecurityHealthHost.exe | Windows Security Health Host | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthHost.exe' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthHost.exe + - + name: Disable Windows Security Health data sharing + docs: |- + This script disables Windows Security Health components, including COM objects and files that + exchange security information between Windows processes. + + **Windows Security** is a built-in tool that provides a central interface for security features such + as antivirus protection [1]. + **Security Health** is a component that reports system health information [2]. + + It uses a specific protocol [3] and COM objects to communicate with other processes [4]. + **COM (Component Object Model)** is a system that allows software components to interact across processes [5]. + + This script enhances privacy by preventing Windows Security from gathering and reporting system health information. + It may boost system performance by reducing background processes related to security health reporting. + However, this may reduce your system's security by disabling features that monitor and protect your device. + + > **Caution**: + > This action may make your system more vulnerable and reduce access to critical security information. + + ### Technical Details + + It removes the following files: + + - `%SYSTEMROOT%\System32\SecurityHealthProxyStub.dll` [6] + + It removes the following COM classes: + + - Defender Shield Broker (`6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF`) [7] + - App Installer Prompt (`AA00FB1F-4EC7-4b09-BDC1-E5D88D291440`) [4] [8] + - Windows Security Health Proxy Stub Factory (`36383E77-35C2-4B45-8277-329E4BEDF47F`) [6] + - Application Guard Shield Broker (`10964DDD-6A53-4C60-917F-7B5723014344`) [9] + - Health Advisor Shield Broker (`2EF44DE8-80C9-42D9-8541-F40EF0862FA3`) [10] + - Shield Process Launcher Broker (`3213CD15-4DF2-415F-83F2-9FC58F3AEB3A`) [11] + - Network Protection Shield Broker (`3522D7AF-4617-4237-AAD8-5860231FC9BA`) [12] + - Defender Pua Shield Broker (`45F2C32F-ED16-4C94-8493-D72EF93A051B`) [13] + - Exploit Shield Broker (`3886CA90-AB09-49D1-A047-7A62D096D275`) [14] + - Dashboard Broker (`3CD3CA1E-2232-4BBF-A733-18B700409DA0`) [15] + - Account Protection Shield Broker (`5ffab5c8-9a36-4b65-9fc6-fb69f451f99c`) [16] + - Windows Security Health Agent Proxy Stub Factory (`82345212-6ACA-4B38-8CD7-BF9DE8ED07BD`) [17] + - Management Shield Broker (`849F5497-5C61-4023-8E10-A28F1A8C6A70`) [18] + - Hardware Shield Broker (`88866959-07B0-4ED8-8EF5-54BC7443D28C`) [19] + - App and Browser Shield Broker (`8E67B5C5-BAD3-4263-9F80-F769D50884F7`) [20] + - Data Protection Shield Broker (`C8DFF91D-B243-4797-BAE6-C461B65EDED3`) [21] + - ForceField Web Protection Shield Broker (`DBF393FC-230C-46CC-8A85-E9C599A81EFB`) [22] + - Shield Elevation Broker (`E041C90B-68BA-42C9-991E-477B73A75C90`) [23] + - OS Protection Shield Broker (`E476E4C0-409C-43CD-BBC0-5905B4138494`) [24] + - Shield Provider User Session Agent (`08728914-3F57-4D52-9E31-49DAECA5A80A`) [25] + + It removes the following COM applications: + + - Security Health Agent Activate As Activator Host (`37096FBE-2F09-4FF6-8507-C6E4E1179893`) [7] [10] [11] [12] [13] [14] [15] [18] [19] [20] [24] [26] + - Security Health Agent Interactive User Host (`7E55A26D-EF95-4A45-9F55-21E52ADF9887`) [16] [21] [22] [25] [26] + - Security Health Agent Interactive User Host for WDSP only (`4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed`) [26] + + [1]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20240913071811/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsh/9a16cf36-da15-454d-aeaa-600df49efa98 "[MS-WSH]: Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240913071751/https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal "Component Object Model (COM) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240913064542/https://strontic.github.io/xcyclopedia/library/clsid_36383E77-35C2-4B45-8277-329E4BEDF47F.html "CLSID 36383E77-35C2-4B45-8277-329E4BEDF47F | Windows Security Health Proxy Stub Factory | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240913064147/https://strontic.github.io/xcyclopedia/library/clsid_6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF.html "CLSID 6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF | Defender Shield Broker | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240919210000/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_appinstallerprompt-desktop_31bf3856ad364e35_10.0.22621.1_none_6d8ff9efc958eff3.manifest "nickel-x64/WinSxS/Manifests/wow64_appinstallerprompt-desktop_31bf3856ad364e35_10.0.22621.1_none_6d8ff9efc958eff3.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [9]: https://web.archive.org/web/20240913064635/https://strontic.github.io/xcyclopedia/library/clsid_10964DDD-6A53-4C60-917F-7B5723014344.html "CLSID 10964DDD-6A53-4C60-917F-7B5723014344 | Application Guard Shield Broker | STRONTIC | strontic.github.io" + [10]: https://web.archive.org/web/20240913071111/https://strontic.github.io/xcyclopedia/library/clsid_2EF44DE8-80C9-42D9-8541-F40EF0862FA3.html "CLSID 2EF44DE8-80C9-42D9-8541-F40EF0862FA3 | Health Advisor Shield Broker | STRONTIC | strontic.github.io" + [11]: https://web.archive.org/web/20240830134518/https://strontic.github.io/xcyclopedia/library/clsid_3213CD15-4DF2-415F-83F2-9FC58F3AEB3A.html "CLSID 3213CD15-4DF2-415F-83F2-9FC58F3AEB3A | Shield Process Launcher Broker | STRONTIC | strontic.github.io" + [12]: https://web.archive.org/web/20240913072059/https://strontic.github.io/xcyclopedia/library/clsid_3522D7AF-4617-4237-AAD8-5860231FC9BA.html "CLSID 3522D7AF-4617-4237-AAD8-5860231FC9BA | Network Protection Shield Broker | STRONTIC | strontic.github.io" + [13]: https://web.archive.org/web/20240913072244/https://strontic.github.io/xcyclopedia/library/clsid_45F2C32F-ED16-4C94-8493-D72EF93A051B.html "CLSID 45F2C32F-ED16-4C94-8493-D72EF93A051B | Defender Pua Shield Broker | STRONTIC | strontic.github.io" + [14]: https://web.archive.org/web/20240913072514/https://strontic.github.io/xcyclopedia/library/clsid_3886CA90-AB09-49D1-A047-7A62D096D275.html "CLSID 3886CA90-AB09-49D1-A047-7A62D096D275 | Exploit Shield Broker | STRONTIC | strontic.github.io" + [15]: https://web.archive.org/web/20240913072524/https://strontic.github.io/xcyclopedia/library/clsid_3CD3CA1E-2232-4BBF-A733-18B700409DA0.html "CLSID 3CD3CA1E-2232-4BBF-A733-18B700409DA0 | Dashboard Broker | STRONTIC | strontic.github.io" + [16]: https://web.archive.org/web/20240913072538/https://strontic.github.io/xcyclopedia/library/clsid_5ffab5c8-9a36-4b65-9fc6-fb69f451f99c.html "CLSID 5ffab5c8-9a36-4b65-9fc6-fb69f451f99c | Account Protection Shield Broker | STRONTIC | strontic.github.io" + [17]: https://web.archive.org/web/20240913074656/https://strontic.github.io/xcyclopedia/library/clsid_82345212-6ACA-4B38-8CD7-BF9DE8ED07BD.html "CLSID 82345212-6ACA-4B38-8CD7-BF9DE8ED07BD | Windows Security Health Agent Proxy Stub Factory | STRONTIC | strontic.github.io" + [18]: https://web.archive.org/web/20240913074603/https://strontic.github.io/xcyclopedia/library/clsid_849F5497-5C61-4023-8E10-A28F1A8C6A70.html "CLSID 849F5497-5C61-4023-8E10-A28F1A8C6A70 | Management Shield Broker | STRONTIC | strontic.github.io" + [19]: https://web.archive.org/web/20240913074718/https://strontic.github.io/xcyclopedia/library/clsid_88866959-07B0-4ED8-8EF5-54BC7443D28C.html "CLSID 88866959-07B0-4ED8-8EF5-54BC7443D28C | Hardware Shield Broker | STRONTIC | strontic.github.io" + [20]: https://web.archive.org/web/20240913074846/https://strontic.github.io/xcyclopedia/library/clsid_8E67B5C5-BAD3-4263-9F80-F769D50884F7.html "CLSID 8E67B5C5-BAD3-4263-9F80-F769D50884F7 | App and Browser Shield Broker | STRONTIC | strontic.github.io" + [21]: https://web.archive.org/web/20240913074955/https://strontic.github.io/xcyclopedia/library/clsid_C8DFF91D-B243-4797-BAE6-C461B65EDED3.html "CLSID C8DFF91D-B243-4797-BAE6-C461B65EDED3 | Data Protection Shield Broker | STRONTIC | strontic.github.io" + [22]: https://web.archive.org/web/20240913075211/https://strontic.github.io/xcyclopedia/library/clsid_DBF393FC-230C-46CC-8A85-E9C599A81EFB.html "CLSID DBF393FC-230C-46CC-8A85-E9C599A81EFB | ForceField Web Protection Shield Broker | STRONTIC | strontic.github.io" + [23]: https://web.archive.org/web/20240913075436/https://strontic.github.io/xcyclopedia/library/clsid_E041C90B-68BA-42C9-991E-477B73A75C90.html "CLSID E041C90B-68BA-42C9-991E-477B73A75C90 | Shield Elevation Broker | STRONTIC | strontic.github.io" + [24]: https://web.archive.org/web/20240913075557/https://strontic.github.io/xcyclopedia/library/clsid_E476E4C0-409C-43CD-BBC0-5905B4138494.html "CLSID E476E4C0-409C-43CD-BBC0-5905B4138494 | OS Protection Shield Broker | STRONTIC | strontic.github.io" + [25]: https://web.archive.org/web/20240913080701/https://strontic.github.io/xcyclopedia/library/clsid_08728914-3F57-4D52-9E31-49DAECA5A80A.html "CLSID 08728914-3F57-4D52-9E31-49DAECA5A80A | Shield Provider User Session Agent | STRONTIC | strontic.github.io" + [26]: https://web.archive.org/web/20240913072752/https://github.com/privacysexy-forks/windows-com-objects/blob/ff00b455604546b70c8bb7c200823332af96e641/Data/CASE_WindowsServer2019/comx64/comAppId.csv "windows-com-objects/Data/CASE_WindowsServer2019/comx64/comAppId.csv at ff00b455604546b70c8bb7c200823332af96e641 ยท privacysexy-forks/windows-com-objects | github.com" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthProxyStub.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{AA00FB1F-4EC7-4b09-BDC1-E5D88D291440} + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{AA00FB1F-4EC7-4b09-BDC1-E5D88D291440} + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ“‚ Unprotected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{10964DDD-6A53-4C60-917F-7B5723014344} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2EF44DE8-80C9-42D9-8541-F40EF0862FA3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3213CD15-4DF2-415F-83F2-9FC58F3AEB3A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3522D7AF-4617-4237-AAD8-5860231FC9BA} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3886CA90-AB09-49D1-A047-7A62D096D275} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3CD3CA1E-2232-4BBF-A733-18B700409DA0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{5ffab5c8-9a36-4b65-9fc6-fb69f451f99c} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ“‚ Unprotected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{849F5497-5C61-4023-8E10-A28F1A8C6A70} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{88866959-07B0-4ED8-8EF5-54BC7443D28C} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8E67B5C5-BAD3-4263-9F80-F769D50884F7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{C8DFF91D-B243-4797-BAE6-C461B65EDED3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DBF393FC-230C-46CC-8A85-E9C599A81EFB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{E476E4C0-409C-43CD-BBC0-5905B4138494} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{37096FBE-2F09-4FF6-8507-C6E4E1179893} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{37096FBE-2F09-4FF6-8507-C6E4E1179893} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{7E55A26D-EF95-4A45-9F55-21E52ADF9887} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{7E55A26D-EF95-4A45-9F55-21E52ADF9887} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Remove "Scan with Defender" from context menu + docs: |- + This script removes the **Scan with Microsoft Defender** option from the right-click context menu. + + This script enhances user privacy by limiting engagement with Defender's data collection processes. + Defender may collect data during scans and at regular intervals, which some users may find + unnecessary or unwanted. + + Removing this option only affects the context menu appearance and does not disable Defender + or its other functions. + + > **Caution**: This may reduce system security by making it less convenient to perform on-demand + > scans of specific files or folders. + + ### Technical Details + + The script functions by altering specific registry keys that correspond to the Defender context menu option. + It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. + The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` + (`HKEY_CLASSES_ROOT`) view [3]. + + The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. + This feature is provided by `shellext.dll` file located in Defender's program files [1]. + + [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780} + - + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # โœ… Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # โœ… Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # โœ… Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # โœ… Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the Windows Security icon from the system tray. + + **Windows Security** is an interface introduced in Windows 10, version 1703 [1]. + It was previously named **Windows Defender Security Center** [1]. + It offers a unified interface to manage security settings and monitor system status [1] [2]. + + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [3] [4]. + + > **Caution:** + > Removing the icon may hide important security alerts and make accessing security settings less convenient. + + ### Technical Details + + The script modifies the registry to stop this file from running on startup, effectively removing the icon. + It specifically removes the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth` registry key. + This key exists in modern Windows versions (tested on Windows 11 22H2 and Windows 10 22H2) with a + default value of `%SYSTEMROOT%\System32\SecurityHealthSystray.exe`. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications "Hide notifications from Windows Security | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [4]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + call: + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + valueName: SecurityHealth + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' + # โœ… Windows 10 (โ‰ฅ 22H2) : C:\Windows\System32\SecurityHealthSystray.exe (REG_EXPAND_SZ) + # โœ… Windows 11 (โ‰ฅ 23H2) : C:\Windows\System32\SecurityHealthSystray.exe (REG_EXPAND_SZ) + dataTypeOnRevert: REG_EXPAND_SZ + dataOnRevert: '%SYSTEMROOT%\System32\SecurityHealthSystray.exe' + - + name: Disable Defender Antivirus interface + docs: |- + This script disables the Defender Antivirus interface. + + This script keeps the Antimalware User Interface (AM UI) hidden from users [1]. + This prevents user interactions with the Defender Antivirus interface. + + Several reasons to hide the antivirus interface: + + - **Reduced data sharing**: + Minimizing Defender's visible interactions can potentially limit the extent of user data shared with Microsoft, + whether you're using Defender or disabling it for an alternative solution. + - **Minimized Interruptions**: + Hiding the interface prevents users from starting and pausing scans. + It also eliminates prompts that may lead to unknowing data sharing. + This approach streamlines the user experience and reduces the risk of accidental data sharing. + - **Reduced notifications**: + Enabling headless UI mode in Windows 10 (version 1703 and newer) hides Defender Antivirus notifications [2]. + It prevents users from being overwhelmed with security notifications. + This action can contribute to a cleaner, less interrupted user experience. + By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that may share data. + - **Restricting access**: + In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. + If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. + + > **Caution**: + > This action limits your ability to manage antivirus settings, manually run scans and view security status. + + ### Technical Details + + The script achieves this by making a specific change in the Windows Registry. + Specifically, it adds a value named `UILockdown` in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its + data to `1` [1]. + + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable outdated non-administrator access to Defender threat history + docs: |- + This script disables privacy mode for Defender scans, limiting threat history access to administrators. + + By default, privacy mode is enabled [1]. + When active, it restricts the display of spyware and potentially dangerous programs to administrators only, + instead of all users on the computer [2]. + It blocks non-administrators from viewing threat history [1]. + + This is a legacy setting that only affects older versions of Defender Antivirus [1]. + It has no impact on current platforms [1]. + + Limiting threat history to administrators has both benefits and drawbacks. + It improves security and privacy by limiting access to sensitive threat information. + However, it may reduce transparency and hinder security efforts for users without admin access who + need this data. + + > **Caution**: Non-admin users will be unable to view potential security threats on their accounts. + + ### Technical Details + + The script configures: + + - `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. + It sets the value to `$True`, effectively disabling privacy mode [1]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. + This undocumented registry key has been verified to work on older Windows versions by the community [2]. + + [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "ะกะพั„ั‚ | ะกะตะบั€ะตั‚ั‹ Windows 7 | www.win7help.ru" + [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + call: + - + function: SetMpPreference + parameters: + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โœ… Windows 10 Pro (>= 22H2) | โŒ Windows 11 Pro (>= 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: DisablePrivacyMode + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โŒ Windows 10 Pro (>= 20H2) | โŒ Windows 11 Pro (>= 23H2) + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. + + **Windows Security** provides a centralized location for managing security settings and viewing system status [1] [2]. + This interface was introduced in Windows 10, version 1703 [1]. + It was previously known as **Windows Defender Security Center** [1]. + + Windows Security has various sections, and each can be turned off individually [1]. + If all sections are disabled, Windows Security will display in a restricted mode [1]. + + > **Caution:** + > Disabling sections may prevent you from accessing important security features or viewing your + > system's security status. + > This may leave you unaware of important security issues on your system. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications "Hide notifications from Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable device security sections + children: + - + name: Disable "Device security" section in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Clear TPM" button in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable security notifications + docs: |- + This category contains scripts to disable Windows security notifications. + + Windows sends security notifications to inform users of potential threats, vulnerabilities, and important security events. + These notifications are generated by security components like Windows Security and Defender Antivirus. + + Disabling these notifications may: + + - Enhance privacy by reducing visible security-related information on your screen + - Improve system performance slightly by preventing these alerts from being processed and displayed + + However, disabling these notifications comes with significant risks: + + - Decreased awareness of critical security issues and threats + - Potential exposure to unnoticed malware or system vulnerabilities + - Missing important system maintenance tasks + + > **Caution**: + > Disabling security notifications may significantly reduce your awareness of critical system and security issues. + > This may increase your system's vulnerability to threats. + > Consider these options only if you have alternative security measures in place or are an advanced user who + > regularly monitors system security through other means. + children: + - + category: Disable Security and Maintenance notifications + docs: |- + This category includes scripts to disable Security and Maintenance notifications in Windows. + + **Security and Maintenance** was previously known as the **Action Center** [1] or + **Security Center** [1] [2]. + It serves as a central interface in Windows for managing security and maintenance settings [3]. + It alerts users to important system events, security risks, and maintenance issues [3]. + + Disabling these notifications may enhance privacy by reducing the visibility of system health and + security details. + It may also slightly improve system performance by preventing these alerts from being processed and + displayed. + + However, this action may decrease security by: + + - Reducing awareness of critical security or health events. + - Potentially leaving the system vulnerable to unnoticed threats or issues. + - Preventing Windows from alerting you about important system maintenance needs. + + > **Caution:** + > Disabling these notifications may significantly reduce your awareness of critical system and + > security issues, potentially leaving your system more vulnerable to threats. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + children: + - + name: Disable Security and Maintenance push notifications + docs: |- + This script disables all Windows Security and Maintenance notifications, + which may enhance privacy but could potentially impact system security. + + **Security and Maintenance** was previously known as **Action Center** [1] [2]. + It offers a central interface to manage security and maintenance settings [2] [3]. + It's integrated into the Windows Control Panel [2]. + It notifies you about important system events and issues [3] [4]. + These notifications are enabled by default [5]. + + Disabling these notifications may enhance privacy by limiting visible security and health + information on your screen. + It may also marginally improve system performance by preventing the processing and display + of these alerts. + + However, this action may reduce security: + + - Decreasing awareness of critical security and health events + - Introducing potential vulnerability to unnoticed system issues or security threats + + > **Caution**: + > This action may reduce your system security by preventing Windows from alerting you about + > critical security risks and system issues. + + ### Technical Details + + The script stops push notifications from the Windows Health Center package + (`Windows.SystemToast.SecurityAndMaintenance`) [4] [5]. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + [4]: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ "Disabling Windows 10 Notifications via Group Policy | Platforms, Lync, the Cloud, Oh My! | blogs.technet.microsoft.com" + [5]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" call: - function: SetRegistryValue + function: DisablePushNotifications parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + appUserModelId: Windows.SystemToast.SecurityAndMaintenance + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + # reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.SecurityAndMaintenance" + # reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SecurityAndMaintenance" - - category: Disable device security sections - children: + name: Disable Security and Maintenance taskbar notifications + docs: |- + This script disables Security and Maintenance-related notifications on the Windows taskbar. + + It removes taskbar integrations (AppUserModelId) for Action Center and + Security and Maintenance components [1] [2]. + **Security and Maintenance** was previously known as **Action Center** [3] [4]. + *AppUserModelIds* link processes, files, and windows to specific applications, organizing + them on the Windows taskbar, managing Jump Lists, and controlling pinning [5]. + + This script may enhance privacy by reducing the visibility of security-related information + on your desktop. + It may also slightly improve system performance by disabling these notification processes. + + However, disabling these notifications may reduce your awareness of important security and + maintenance issues. + + > **Caution**: + > Disabling taskbar integrations may leave you unaware of critical security and maintenance + > issues on your system. + + ### Technical Details + + This script removes these AppUserModelIds: + + - `Windows.ActionCenter.UrgentNotification` [1] + - `Windows.SystemToast.SecurityAndMaintenance` [2] + + [1]: https://web.archive.org/web/20240902111830/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240902112132/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [5]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: - - name: Disable "Device security" section in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.ActionCenter.UrgentNotification + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Clear TPM" button in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableClearTpmButton - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Security and Maintenance notification integrations + docs: |- + This script disables Security and Maintenance integrations that use Component Object Model (COM). + Previously, **Security and Maintenance** was known as **Action Center** [1]. + + *Component Object Model (COM)* enables communication between software components, whether within the + same process, on the same computer, or across different computers [2]. + By removing registry entries for these integrations, the script prevents Windows from creating and using + COM objects related to Security and Maintenance notifications. + + This script may improve privacy by reducing the system's ability to generate and display certain notifications + that may contain sensitive information. + It may slightly improve system performance by stopping some background processes related to security notifications. + + However, this action has significant trade-offs: + + - It disables security and maintenance notifications, which may leave you unaware of important system issues or security threats. + - It prevents certain system health checks from running or reporting their results. + - It may disable parts of the Windows Security Center. + - It may break functionality in third-party security tools that rely on these integrations. + + > **Caution**: + > Disabling these integrations may reduce your awareness of critical system and security issues, leaving your system + > more vulnerable to threats. + + ### Technical Details + + | Type | Name | ID | + | --------- | ------------------------------------------- | --------------------------------- | + | CLSID | Action Center Notification Activator [3] [4] | `A973E7B2-131B-428E-8B2B-EAE73D731E98` [3] [4] | + | CLSID | Security and Maintenance Notification Manager [3] [4] | `a3b3c46c-05d8-429b-bf66-87068b4ce563` [3] [4] | + | CLSID | Security and Maintenance PSFactory [3] [4] | `01afc156-f2eb-4c1c-a722-8550417d396f` [3] [4] | + | Interface | IHCNotificationManager [3] [4] | `01afc156-f2eb-4c1c-a722-8550417d396f` [3] [4] | + | Interface | IHCObjectWithCanonicalName [3] [4] | `824f0d64-069c-4383-9107-f18fc40c3ca6` [3] [4] | + | Interface | IHCCheckProvider [3] [4] | `418ee892-56f0-4c3b-9238-696ba0cef799` [3] [4] | + | Interface | IHCDescriptionAndIcon [3] [4] | `7cbc33db-7a53-45c3-a0cc-610292bd7b9e` [3] [4] | + | Interface | IHCCheck [3] [4] | `FAE9CE59-7621-4208-8BC3-2ACECD58FED2` [3] [4] | + | Interface | IHCCommand [3] [4] | `3d2eafc0-96d0-4925-9f7d-ff80b168f243` [3] [4] | + | Interface | IHCStatus [3] [4] | `b387c51b-7fe4-4252-8cd4-585592b4dc7e` [3] [4] | + | Interface | IHCAction [3] [4] | `e90aad8b-7f0c-480d-b33e-16779c4cf59d` [3] [4] | + | Interface | IHCNotification [3] [4] | `8025d477-47d3-449c-9350-c676140ee829` [3] [4] | + | Interface | IHCCheckCollection [3] [4] | `db62c52c-dbae-476c-aeac-fa9966e85326` [3] [4] | + | Interface | IHCNotificationCollection [3] [4] | `1cf5e433-3cf8-498e-8b5a-f47e23200e07` [3] [4] | + | Interface | IHCCommandCollection [3] [4] | `58d879fe-5b40-46aa-ab68-d146ff6a68a0` [3] [4] | + | Interface | IHCNotificationManagerEventsP [3] [4] | `0acabbb8-8f37-4605-9d41-eec1c33eeb95` [3] [4] | + | Interface | IHCCheckInternalP [3] [4] | `0cc6fe25-a88b-480d-956a-a9a20bd2c65a` [3] [4] | + | Interface | IHCNotificationInternalP [3] [4] | `8db6ae56-7ea1-421c-9c22-d3247c12c6c4` [3] [4] | + | Interface | IHCIconP [3] [4] | `014a1425-828b-482a-a386-5763b23531c3` [3] [4] | + | Interface | IHCNotificationManagerP [3] [4] | `B066DDE3-445D-45dc-BF2A-BC7BAA74C5C5` [3] [4] | + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240903111125/https://learn.microsoft.com/en-us/windows/win32/com/inter-object-communication "Inter-Object Communication - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240902112132/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: - - name: Disable "Secure boot" button in "Windows Security" - docs: |- - [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideSecureBoot - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{A973E7B2-131B-428E-8B2B-EAE73D731E98} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" - docs: |- - [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideTPMTroubleshooting - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{A973E7B2-131B-428E-8B2B-EAE73D731E98} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "TPM Firmware Update" recommendation in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableTpmFirmwareUpdateWarning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - category: Disable Defender notifications - children: + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{824f0d64-069c-4383-9107-f18fc40c3ca6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{824f0d64-069c-4383-9107-f18fc40c3ca6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{418ee892-56f0-4c3b-9238-696ba0cef799} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{418ee892-56f0-4c3b-9238-696ba0cef799} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{7cbc33db-7a53-45c3-a0cc-610292bd7b9e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{7cbc33db-7a53-45c3-a0cc-610292bd7b9e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{FAE9CE59-7621-4208-8BC3-2ACECD58FED2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{FAE9CE59-7621-4208-8BC3-2ACECD58FED2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{3d2eafc0-96d0-4925-9f7d-ff80b168f243} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{3d2eafc0-96d0-4925-9f7d-ff80b168f243} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{b387c51b-7fe4-4252-8cd4-585592b4dc7e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{b387c51b-7fe4-4252-8cd4-585592b4dc7e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{e90aad8b-7f0c-480d-b33e-16779c4cf59d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{e90aad8b-7f0c-480d-b33e-16779c4cf59d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{8025d477-47d3-449c-9350-c676140ee829} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8025d477-47d3-449c-9350-c676140ee829} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{db62c52c-dbae-476c-aeac-fa9966e85326} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{db62c52c-dbae-476c-aeac-fa9966e85326} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{1cf5e433-3cf8-498e-8b5a-f47e23200e07} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1cf5e433-3cf8-498e-8b5a-f47e23200e07} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{58d879fe-5b40-46aa-ab68-d146ff6a68a0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{58d879fe-5b40-46aa-ab68-d146ff6a68a0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0acabbb8-8f37-4605-9d41-eec1c33eeb95} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0acabbb8-8f37-4605-9d41-eec1c33eeb95} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0cc6fe25-a88b-480d-956a-a9a20bd2c65a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0cc6fe25-a88b-480d-956a-a9a20bd2c65a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{8db6ae56-7ea1-421c-9c22-d3247c12c6c4} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8db6ae56-7ea1-421c-9c22-d3247c12c6c4} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{014a1425-828b-482a-a386-5763b23531c3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{014a1425-828b-482a-a386-5763b23531c3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{B066DDE3-445D-45dc-BF2A-BC7BAA74C5C5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{B066DDE3-445D-45dc-BF2A-BC7BAA74C5C5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - category: Disable Windows Security notifications - docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications - children: + name: Disable all Security and Maintenance notifications + docs: |- + This script disables all Security and Maintenance notifications in Windows, + potentially enhancing privacy but also reducing system security awareness. + + **Security and Maintenance** was formerly called **Action Center** [1]. + This interface manages and centralizes Windows security and maintenance settings [2] [3] [4] + It notifies users about key system events, security risks, and maintenance issues [2] [3]. + Windows automatically checks for security and maintenance issues and sends notifications by default [2]. + + This script disables notifications for: + + - **Security messages:** + Windows Update, Internet security settings, Network firewall, Microsoft account + Spyware and unwanted software protection, User Account Control, Virus protection, Windows activation [2] + - **Maintenance messages:** + Windows Backup, Automatic Maintenance, Drive status, Device software, Startup apps, + Windows Troubleshooting, HomeGroup, File History, Storage Spaces, Work Folders [2] + + Disabling these notifications may improve privacy by hiding system health and security details. + It may slightly improve system performance by stopping these alerts from being processed and shown. + + However, disabling these notifications may reduce security by: + + - Reducing awareness of critical security or health events + - Potentially leaving the system vulnerable to unnoticed threats or issues + - Preventing Windows from alerting you about important system maintenance needs + + > **Caution:** + > Disabling these notifications may significantly reduce your awareness of critical system and security issues, + > potentially increasing your system's vulnerability to threats. + + ### Technical Details + + This script removes or modifies the following registry keys: + + - `HKLM\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers` [5] [6] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks` [5] [6] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers` [6] [7] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks` (outdated) [8] [9] [10] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers` (outdated) [11] + + These registry keys are linked to `ActionCenter.dll` [6] [12], + which is part of the **Security and Maintenance** component [12]. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://archive.ph/2024.09.05-145003/https://www.tenforums.com/tutorials/107172-backup-restore-security-maintenance-settings-windows-10-a.html "Backup and Restore Security and Maintenance Settings in Windows 10 | Tutorials | www.tenforums.com" + [3]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [4]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + [5]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240905144852/https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/System32/ActionCenter.dll.strings "10_0_22623_1020/C/Windows/System32/ActionCenter.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 ยท privacysexy-forks/10_0_22623_1020 | github.com" + [7]: https://web.archive.org/web/20240905144727/https://daniosvet.ru/c/kak-otkluchit-uvedomleniya-centra-bezopasnosti-v-windows-10-cherez-reestr "How to disable security center notifications in Windows 10 via registry | daniosvet.ru" + [8]: https://web.archive.org/web/20100823045314/http://social.technet.microsoft.com:80/Forums/en-US/w7itproui/thread/83dc3de6-70b7-450f-992c-60511e4a6c4f "How can I turn off messages for certain Action Center items? | social.technet.microsoft.com" + [9]: https://web.archive.org/web/20240905144738/https://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-turn-off-the-backup-notification-in-the-windows-7-actions-center/ "How to use Group Policy to turn off the Backup Notification in the Windows 7 Actions Center โ€“ Group Policy Central | www.grouppolicy.biz" + [10]: https://web.archive.org/web/20240905144812/https://randoltech.blogspot.com/2015/06/registry-settings-for-action-center.html "RandolTech: Registry Settings for Action Center alerts | randoltech.blogspot.com" + [11]: https://github.com/privacysexy-forks/Winapp2/blob/master/Winapp2.ini "Winapp2/Winapp2.ini at master ยท privacysexy-forks/Winapp2 | github.com" + [12]: https://web.archive.org/web/20240905145907/https://strontic.github.io/xcyclopedia/library/ActionCenter.dll-4B9995C71B4C41ECE5C8A165A6CED82E "ActionCenter.dll | Security and Maintenance | STRONTIC | strontic.github.io" + call: - - name: Disable all Defender notifications - docs: - - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable non-critical Defender notifications - docs: - - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers + - + category: Disable Windows Security notifications + docs: |- + This category provides options to disable various notifications from **Windows Security**. + + Windows Security, built into Windows, provides a centralized interface for managing security settings and viewing + system status [1] [2]. + It was first introduced in Windows 10, version 1703 [1]. + Initially, it was called **Windows Defender Security Center** [1]. + It displays notifications via the **Notification Center** [1] (formerly **Action Center** [3] [4]). + + Windows Security notifications inform users about device health and security, including firewall updates, + antivirus status, and **Defender SmartScreen** [2]. + These notifications are meant to inform users of potential security risks, but some may find them intrusive or unnecessary. + + Disabling these notifications may: + + - Improve privacy by reducing visible security information that may be sensitive. + - Slightly boost system performance by reducing background processes. + + However, disabling these notifications has significant trade-offs: + + - You may miss critical security alerts, leaving your system vulnerable. + - You may be unaware of important updates or actions needed to maintain security. + + > **Caution**: + > Disabling Windows Security notifications may reduce your awareness of critical security events and vulnerabilities. + > Only consider this action if you have alternative security measures in place, such as other monitoring tools or + > strong security practices. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications "Hide notifications from Windows Security | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_11 "How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + children: - - name: Disable security and maintenance notifications # For Windows 10 build 1607 and above - docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ + name: Disable all Windows Security notifications + docs: |- + This script disables all notifications generated by Windows Security. + + **Windows Security** is a built-in Windows feature that offers a unified interface for various + security products, including **Defender Antivirus** [1]. + This interface was previously called **Security Center** [1]. + + By default, local users are notified by Windows Security [2] [3]. + This script blocks these notifications [2] [3]. + + This script may enhance your privacy by reducing visible security-related information on your screen. + It may also slightly improve system performance by reducing the processing and display of these notifications. + However, disabling these notifications will decrease your awareness of critical security events. + + > **Caution**: Disabling security notifications will leave you unaware of critical security issues on your system. + + ### Technical Details + + The script performs the following actions: + + - Disables push notifications from the Windows Security Center package + (`Windows.SystemToast.SecurityCenter`) [4]. + - Configures Group Policy to disable notifications + `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications!DisableNotifications` [2] [3]. + - Modifies user interface settings to prevent the display of notifications via + `HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications` [5]. + + [1]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenotifications "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240902101758/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications "Hide all notifications | admx.help" + [4]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240513222301/https://www.elevenforum.com/t/enable-or-disable-all-windows-security-notifications-in-windows-11.13321/ "Enable or Disable All Windows Security Notifications in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" call: - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance - valueName: Enabled - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: DisablePushNotifications + parameters: + appUserModelId: Windows.SystemToast.SecurityCenter + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + # reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.SecurityCenter" + # reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SecurityCenter" - - name: Disable all Defender Antivirus notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress + name: Disable non-critical Windows Security notifications + docs: + - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications call: - function: SetRegistryValue parameters: - keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Windows Security taskbar notifications + docs: |- + This script disables Windows Security-related notifications on the Windows taskbar. + + It removes taskbar integrations (AppUserModelId) for Windows Security components [1] [2]. + Windows Security is also called **Security Center** in older versions of Windows [3]. + *AppUserModelIds* link processes, files, and windows to specific applications, organizing them + on the Windows taskbar, managing Jump Lists, and controlling pinning [4]. + + This script may enhance privacy by reducing the visibility of security-related information on your desktop. + It may also slightly improve system performance by disabling these notification processes. + + However, disabling these notifications may reduce your awareness of important security issues. + + > **Caution**: + > Disabling taskbar integrations may leave you unaware of critical security issues on your system. + + ### Technical Details + + This script removes these AppUserModelIds: + + - `Windows.SystemToast.SecurityCenter` [1] + - `Windows.Defender.SecurityCenter` [2] + + [1]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240902112044/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthAgent.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthAgent.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SecurityCenter + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.Defender.SecurityCenter + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable Defender Antivirus notifications + docs: |- + This category contains scripts to disable various notifications from Defender Antivirus. + + **Defender Antivirus**, built into Windows, protects your device from malware and + other threats [1]. + It analyzes your data using machine learning and cloud-based protection technologies [1]. + This data analysis raises privacy concerns. + + Key features of Defender Antivirus include: + + - Real-time protection against known and new threats [1] + - Behavior-based detection to identify suspicious activities [1] + + Defender Antivirus typically sends notifications when: + + - Scans are completed (both scheduled and manual) [2] + - Threats are detected [2] + - System status changes occur [2] + + These notifications appear on your device and in the **Notification Center** [2] + (previously known as the **Action Center** [3]). + + Disabling these notifications may: + + - Enhance privacy by reducing visible information about your system's security status + - Improve system performance by reducing background processes + + However, disabling notifications may: + + - Lower your awareness of security threats + - Increase the risk of unnoticed malware or system issues + + The scripts in this category apply to both the standard **Defender Antivirus** and + the **Defender for Endpoint** suite [1] [2]. + + > **Caution**: + > Disabling security notifications may prevent you from noticing critical system threats. + > This may reduce your security if you do not have alternative measures in place. + + [1]: https://web.archive.org/web/20240728184012/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240905102312/https://learn.microsoft.com/en-us/defender-endpoint/configure-notifications-microsoft-defender-antivirus "Configure Microsoft Defender Antivirus notifications - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + children: + - + name: Disable Defender Antivirus push notifications + docs: |- + This script disables notifications from Defender Antivirus. + + By default, Defender Antivirus notifies you of potential threats and system status [1] [2]. + This script disables these notifications [1] [2]. + + Disabling these notifications may enhance privacy by limiting visible information on your + system's security status. + It may also slightly improve system performance by reducing background processes related to + notification display. + However, this action may reduce your security awareness, potentially leaving your system vulnerable to + unnoticed threats such as malware. + + > **Caution**: + > Disabling notifications reduces your awareness of security alerts, which may compromise system security. + + ### Technical Details + + The script: + - Configures group policy to suppress notifications by setting + `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration!Notification_Suppress` [1] [2] + - Stops push notifications from the Windows Defender UI package + (`Windows.Defender`) [3] + + [1]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#ux_configuration_notification_suppress "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240902105942/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress "Suppress all notifications | admx.help" + [3]: https://web.archive.org/web/20240902105452/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_windows-defender-ui_31bf3856ad364e35_10.0.22621.1_none_81f39428081c6a33.manifest "nickel-x64/WinSxS/Manifests/wow64_windows-defender-ui_31bf3856ad364e35_10.0.22621.1_none_81f39428081c6a33.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: - function: SetRegistryValue parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration valueName: Notification_Suppress dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: DisablePushNotifications + parameters: + appUserModelId: Windows.Defender + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + # reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.Defender" + # reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.Defender" - - name: Disable Defender reboot notifications + name: Disable Defender Antivirus reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification call: function: SetRegistryValue @@ -19604,10 +22504,580 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Antivirus taskbar notifications + docs: |- + This script disables Defender Antivirus-related notifications on the Windows taskbar. + + It removes taskbar integrations (AppUserModelId) for Defender components [1]. + *AppUserModelIds* link processes, files, and windows to specific applications, organizing + them on the Windows taskbar, managing Jump Lists, and controlling pinning [2]. + + This script may enhance privacy by reducing the visibility of antivirus-related information + on your desktop. + It may also slightly improve system performance by disabling these notification processes. + + However, disabling these notifications may reduce your awareness of important antivirus issues. + + > **Caution**: + > Disabling taskbar integrations may leave you unaware of critical antivirus issues on your + > system. + + ### Technical Details + + This script removes these AppUserModelIds: + + - `Microsoft.Windows.Defender` [1] + - `Windows.Defender` [1] + + [1]: https://web.archive.org/web/20240902111830/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.Defender + - + category: Disable Security and Maintenance + docs: |- + This category includes scripts that disable various components of the + **Security and Maintenance** feature. + + **Security and Maintenance** was previously known as **Action Center** [1] [2]. + This feature provides a central interface for managing Windows security and maintenance settings [1] [2]. + It monitors and reports on system health, including security threats, software updates, and hardware issues [3]. + + Disabling these components enhances privacy by reducing system monitoring and data collection associated with + security and maintenance. + This may also improve system performance by stopping background processes associated with these functions. + + However, disabling these components can significantly impact system security. + It limits the system's ability to alert users to potential threats, vulnerabilities, and critical + maintenance issues. + This may make the system more vulnerable to security risks if not properly managed. + + > **Caution**: + > Disabling Security and Maintenance features may leave your system more vulnerable to security threats + > and maintenance issues. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + children: + - + name: Disable Security and Maintenance core library + docs: |- + This script disables the Security and Maintenance library, a core component of + Windows security monitoring. + + **Security and Maintenance** was formerly known as **Action Center** [1]. + It is a central interface for managing Windows security and maintenance settings [2] [3]. + By default, Windows automatically checks for security and maintenance issues and sends notifications + via this interface [2]. + + This script disables the `ActionCenter.dll` library, which is responsible for: + + - Managing security and maintenance notifications [4] + - Processing and caching system health notifications [4] + - Handling the icon and its tooltips in the system tray [4] + - Interacting with various Windows components to check system health status [4] + - Launching the Control Panel applet for Security and Maintenance [4] + - Creating and managing toast notifications for security and maintenance issues [4] + - Interfacing with Windows event logs to gather system health information [4] + - Handling user interactions with notifications and the interface [4] + - Managing settings related to security and maintenance checks [4] + + Disabling this library may enhance privacy by reducing system monitoring and data collection + related to security and maintenance activities. + It may also improve system performance by stopping background processes related to these functions. + + However, disabling this library will impair the functionality of Security and Maintenance [5]. + It reduces system security by disabling important notifications about potential + threats and system vulnerabilities. + This change also complicates the management of security settings, potentially making it harder + for users to maintain a secure system. + + > **Caution**: + > This action may leave your system more vulnerable to security threats and maintenance issues if not carefully managed. + + ### Technical Details + + This script removes the `ActionCenter.dll` file [4] [5] [6]. + This file belongs to **Security and Maintenance** [6]. + The name of the files comes from *Action Center* which was the previous name + of *Security and Maintenance* [1]. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://archive.ph/2024.09.05-145003/https://www.tenforums.com/tutorials/107172-backup-restore-security-maintenance-settings-windows-10-a.html "Backup and Restore Security and Maintenance Settings in Windows 10 | Tutorials | www.tenforums.com" + [3]: https://web.archive.org/web/20240630202431/http://hs.windows.microsoft.com/hhweb/content/m-en-us/p-6.2/id-bbeaaca4-c6ae-47f8-8f2f-03deadf80271/ "What is Action Center? | hs.windows.microsoft.com" + [4]: https://web.archive.org/web/20240905145907/https://strontic.github.io/xcyclopedia/library/ActionCenter.dll-4B9995C71B4C41ECE5C8A165A6CED82E "ActionCenter.dll | Security and Maintenance | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20150920214245/http://www.sevenforums.com/general-discussion/37592-disable-action-center-notifications-2.html "Disable Action Center notifications - Page 2 - Windows 7 Forums | www.sevenforums.com" + [6]: https://web.archive.org/web/20240905144852/https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/System32/ActionCenter.dll.strings "10_0_22623_1020/C/Windows/System32/ActionCenter.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 ยท privacysexy-forks/10_0_22623_1020 | github.com" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\ActionCenter.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\ActionCenter.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Security and Maintenance Control Panel applet + docs: |- + This script disables the **Security and Maintenance** feature in the Windows Control Panel. + + Security and Maintenance (previously **Action Center** [1] [2]) is a central interface + for managing Windows security and maintenance settings [2] [3]. + + It controls: + + - Security components such as *firewall*, *Internet security settings*, and *User Account Control (UAC)* [3] + - Maintenance features as *automatic Maintenance*, *drive status*, and *file history* [3] + + This interface also displays relevant notifications [3]. + + After running this script, **Security and Maintenance** will be disabled and inaccessible. + This enhances privacy by limiting the system's ability to monitor and report on security and maintenance issues. + It may slightly improve system performance by disabling related background processes. + + However, this change may reduce overall system security and make managing important security settings more difficult. + You will need to monitor and adjust these settings manually. + + > **Caution**: Disabling this feature may increase vulnerability to security threats and maintenance + > issues unless carefully managed. + + ### Technical Details + + This script removes: + + - COM registrations for the application CLSID `BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6` [4] + - DLL files `ActionCenterCPL.dll` [4] + - Executable Control Panel item registration for the CLSID `BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6` [5] + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + [4]: https://web.archive.org/web/20240829174447/https://strontic.github.io/xcyclopedia/library/clsid_BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6.html "CLSID BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6 | Security and Maintenance CPL | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240829174323/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/hh127450(v=vs.85) "How to Register Executable Control Panel Items (Windows) | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\ActionCenterCPL.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\ActionCenterCPL.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Security and Maintenance desktop features + docs: |- + This script disables the Security and Maintenance desktop integration in Windows. + + Windows automatically loads certain applications at startup using **Shell Service Objects** [1]. + These objects are loaded early during startup by `explorer.exe`, the core shell for Windows [1]. + Shell Service Objects handle tasks like file management, system operations, and user interface interactions [2]. + + The script removes the **Security and Maintenance Shell Service Object** [3] [4]. + This object shows security and health notifications on your desktop. + Disabling this may reduce certain Security and Maintenance capabilities, such as specific file operations, + window management, system tasks, service control, help functions, security dialogs, shell integration, + and application search [2]. + + Disabling this integration may: + + - Enhance privacy by reducing the visibility of security and health-related information on your desktop. + - Improve system performance by reducing system resource usage associated with these notifications. + + However, disabling notifications may reduce your awareness of important security and health issues. + + > **Caution:** + > This script may result in losing access to certain **Security and Maintenance** features + > and missing important security alerts. + + ### Technical Details + + This script removes the following components: + + - **Security and Maintenance Shell Service Object** with CLSID: + `F56F6FDD-AA9D-4618-A949-C1B91AF43B1A` [3] [4] + - The associated registry key: + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}` [3] [4] + + [1]: https://web.archive.org/web/20240904131019/https://www.boostbyreason.com/resource-startups-ShellServiceObjectDelayLoads.aspx "Shell service object delay loads - Boost Your Slow PC. | www.boostbyreason.com" + [2]: https://web.archive.org/web/20240904131043/https://learn.microsoft.com/en-us/windows/win32/shell/shell "Shell object (Shldisp.h) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240902112132/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} + - + name: Disable Defender Firewall Control Panel applet + docs: |- + This script disables the Windows Defender Firewall Control Panel applet, restricting access + to firewall settings through this specific interface. + + The Windows Defender Firewall Control Panel applet is a tool for configuring the Defender Firewall [1]. + It can be accessed by typing `firewall.cpl` in the **Start** menu and pressing **Enter** [1]. + + Disabling this applet enhances security by reducing the attack surface and potential vulnerabilities in the + firewall's configuration interface. + This action preserves your firewall settings by blocking modifications through the Control Panel applet. + It may also slightly boost system performance by eliminating unnecessary components. + + > **Caution**: + > Disabling this applet removes a user-friendly interface for configuring the firewall. + > Users can still manage firewall settings through other means, such as PowerShell or + > the **Windows Security** app. + + ### Technical Details + + The script removes the following components: + + - Windows Defender Firewall Control Panel [2] (File Path: `%WINDIR\System32\FirewallControlPanel.dll` [2] [3] [4] [5] [6]) + - Virtual Factory for Windows Defender Firewall CPL class [3] (CLSID: `A4B07E49-6567-4FB8-8D39-01920E3B2357` [3]) + - Virtual Factory for Windows Defender Firewall CPL app [3] (AppID: `A4B07E49-6567-4FB8-8D39-01920E3B2357` [3]) + - `FirewallControlPanel.dll` COM class (CLSID: `1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1` [4]) + - FwCpl LUA class (CLSID: `752438CB-E941-433F-BCB4-8B7D2329F0C8` [5]) + - FwCpl LUA app (AppID: `6571503D-D0FB-4D98-BBC3-1FBB2B3F344E` [5]) + - FwCpl LUA type library (TypeLib: `B9C76E7B-D029-44EB-896F-F02FC6E9ABD5` [5]) + - Firewall Control Panel class (CLSID: `{DDECE4B2-979F-4CDB-9F58-B036FE5A510C}` [6]) + + [1]: https://web.archive.org/web/20240831142406/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/tools#control-panel "Windows Firewall tools | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831142607/https://strontic.github.io/xcyclopedia/library/FirewallControlPanel.dll-751214B2EB569EABF97659975725A321.html "FirewallControlPanel.dll | Windows Defender Firewall Control Panel | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240831142413/https://strontic.github.io/xcyclopedia/library/clsid_A4B07E49-6567-4FB8-8D39-01920E3B2357.html "CLSID A4B07E49-6567-4FB8-8D39-01920E3B2357 | Virtual Factory for Windows Defender Firewall Cpl | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240831142428/https://strontic.github.io/xcyclopedia/library/clsid_1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1.html "CLSID 1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1 | (C:\Windows\System32\FirewallControlPanel.dll) | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240831142524/https://strontic.github.io/xcyclopedia/library/clsid_752438CB-E941-433F-BCB4-8B7D2329F0C8.html "CLSID 752438CB-E941-433F-BCB4-8B7D2329F0C8 | FwCpl LUA | STRONTIC | strontic.github.io" + [6]: https://web.archive.org/web/20240831142527/https://strontic.github.io/xcyclopedia/library/clsid_DDECE4B2-979F-4CDB-9F58-B036FE5A510C.html "CLSID DDECE4B2-979F-4CDB-9F58-B036FE5A510C | Firewall Control Panel | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%WINDIR%\System32\FirewallControlPanel.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\AppId\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{752438CB-E941-433F-BCB4-8B7D2329F0C8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{752438CB-E941-433F-BCB4-8B7D2329F0C8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{6571503D-D0FB-4D98-BBC3-1FBB2B3F344E} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\AppId\{6571503D-D0FB-4D98-BBC3-1FBB2B3F344E} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{B9C76E7B-D029-44EB-896F-F02FC6E9ABD5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\TypeLib\{B9C76E7B-D029-44EB-896F-F02FC6E9ABD5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DDECE4B2-979F-4CDB-9F58-B036FE5A510C} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Firewall "Windows Defender Firewall with Advanced Security" + docs: |- + This script disables the **Windows Defender Firewall with Advanced Security (WFAS)** management interface. + + The Windows Defender Firewall with Advanced Security (WFAS) is a Microsoft Management Console (MMC) snap-in + offering advanced configuration options for your firewall [1]. + It can be accessed locally or through group policies by typing `wf.msc` in the Start menu [1]. + + The **Microsoft Management Console (MMC)** acts as a toolbox for managing various Windows components, + including hardware, software, and network settings [2]. + A **snap-in** is a specific type of tool within this MMC toolbox [2]. + + Disabling WFAS may enhance privacy by removing an interface that could be used for network monitoring. + It may also slightly boost system performance by reducing background processes. + + However, this action removes a user-friendly interface for configuring the firewall. + It may reduce your security by making firewall management more difficult to access. + + This script disables only the WFAS interface, not the firewall itself. + Firewall settings can still be managed through other methods, such as PowerShell or Windows Security. + + > **Caution**: + > This script removes a user-friendly tool for managing the firewall, potentially making it harder to control computer security settings. + + ### Technical Details + + This script removes: + + - **Windows Defender Firewall with Advanced Security Group Policy Editor Extension** [3] [4] + - File path: `%WINDIR%\System32\AuthFWGP.dll` [3] [5] + - File path: `%WINDIR%\SysWOW64\AuthFWGP.dll` [4] + - **Windows Defender Firewall with Advanced Security** [5] [6] COM class + - CLSID: `023A36FC-E9D5-419E-824A-CDC66A116E84` [5] + - CLSID: `0E752416-F29E-4195-A9DD-7F0D4D5A9D71` [6] + + [1]: https://web.archive.org/web/20240831142406/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/tools#windows-defender-firewall-with-advanced-security "Windows Firewall tools | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831144214/https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console "What is MMC - Windows Server | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240831144246/https://strontic.github.io/xcyclopedia/library/AuthFWGP.dll-AEC29DD818090C5FC3274179EF262D1A.html "AuthFWGP.dll | Windows Defender Firewall with Advanced Security Group Policy Editor Extension | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240831144435/https://strontic.github.io/xcyclopedia/library/AuthFWGP.dll-2F4C8AA2A2AFD38A08B3C108F4E537F4.html "AuthFWGP.dll | Windows Defender Firewall with Advanced Security Group Policy Editor Extension | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240831144232/https://strontic.github.io/xcyclopedia/library/clsid_023A36FC-E9D5-419E-824A-CDC66A116E84.html "CLSID 023A36FC-E9D5-419E-824A-CDC66A116E84 | Windows Defender Firewall with Advanced Security | STRONTIC | strontic.github.io" + [6]: https://web.archive.org/web/20240831144427/https://strontic.github.io/xcyclopedia/library/clsid_0E752416-F29E-4195-A9DD-7F0D4D5A9D71.html "CLSID 0E752416-F29E-4195-A9DD-7F0D4D5A9D71 | Windows Defender Firewall with Advanced Security | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%WINDIR%\System32\AuthFWGP.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%WINDIR%\SysWOW64\AuthFWGP.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{023A36FC-E9D5-419E-824A-CDC66A116E84} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{023A36FC-E9D5-419E-824A-CDC66A116E84} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable outdated "Windows Defender Security Center" interface + docs: |- + This script disables outdated Defender Antivirus user interface components. + + The **Windows Defender User Experience Host** managed communication between Windows components and apps, + including the discontinued Windows Defender Security Center [1]. + This interface is not present in modern Windows versions, so this script will not affect recent Windows systems. + + Disabling this component may enhance privacy on older systems by reducing monitoring and data + collection from the Defender components. + It helps maintain control over privacy preferences and reduces the risk of unintended changes. + This action may also improve system performance by stopping processes that use system resources. + Removing obsolete software reduces the potential attack surface, aligning with security best practices. + + However, this action may reduce system security if you are using older versions of Windows. + Carefully weigh the privacy benefits against potential security risks before applying this script. + + > **Caution**: This script limits the Defender user interface on older Windows versions. + + ### Technical Details + + This script removes several components related to the Windows Defender User Experience (`MpUx`), including: + + - MP UX Host (AppID: `FDA74D11-C4A6-4577-9F73-D7CA8586E10D`) [2] + - MP UX Host [3] [4] (CLSID: `FDA74D11-C4A6-4577-9F73-D7CA8586E10D`) [2] [3] [4] [5] + - WD modern host server [1] [4] (File: `%PROGRAMFILES%\Windows Defender\MpUXSrv.exe` [4]) + - Defender MpUxAgent [6] (File: `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MPUXAGENT.DLL` [5] [7]) + - Defender MpUxAgent (CLSID: `4DB116D1-9B24-4DFC-946B-BFE03E852002` [5] [7]) + - Defender MpUxAgent (CLSID: `2DCD7FDB-8809-48E4-8E4F-3157C57CF987}` [5] [7]) + - Defender Data Loss Prevention UI (Application User Model ID: `Windows.Defender.MpUxDlp` [5]) + - MpUx Agent Host [5] [8] (AppID: `1111a26d-ef95-4a45-9f55-21e52adf9887` [5] [8]) + - COM Proxy for mpuxhost (MP Modern shell host) [9] (file: `%PROGRAMFILES%\Windows Defender\mpuxhostproxy.dll` [3] [7]) + - PSFactoryBuffer [3] (CLSID: `13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8` [2] [3] [7]) + - PSFactoryBuffer [3] (CLSID: `94F35585-C5D7-4D95-BA71-A745AE76E2E2` [2] [3]) + + Tests confirm that these components are not present in Windows versions from Windows 10 19H1 and Windows 11 21H2 onwards. + + [1]: https://web.archive.org/web/20240830202122/https://www.spyshelter.com/exe/microsoft-windows-mpuxsrv-exe/ "What is MpUXSrv.exe (WD modern host server)? 4 reasons to/NOT trust it | www.spyshelter.com" + [2]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.1_none_7b973051f62a1a6d/MpCmdRun.exe.strings "10_0_19045_2251/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.1_none_7b973051f62a1a6d/MpCmdRun.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf ยท privacysexy-forks/10_0_19045_2251 | github.com" + [3]: https://web.archive.org/web/20240830202035/https://wikileaks.org/ciav7p1/cms/page_13762818.html "CLSIDs Windows 8.1 Enterprise x64 with Office 2013 | wikileaks.org" + [4]: https://github.com/privacysexy-forks/r2com/blob/master/clsids.json "r2com/clsids.json at master ยท privacysexy-forks/r2com | github.com/privacysexy-forks" + [5]: https://web.archive.org/web/20240831105355/https://hypedisenio.blogspot.com/2011/07/diseno-hola-todos-los-interesados-en.html "hypedisenio: Diseรฑo: Hola a todos los interesados en sitios de divulgac... | hypedisenio.blogspot.com" + [6]: https://web.archive.org/web/20240831105406/https://manalyzer.org/report/705f5d24ef8780386e98d6d0b50b0a70 "Manalyzer :: 705f5d24ef8780386e98d6d0b50b0a70 | manalyzer.org" + [7]: https://github.com/privacysexy-forks/Trawler/blob/main/trawler.ps1 "Trawler/trawler.ps1 at main ยท privacysexy-forks/Trawler | github.com" + [8]: https://web.archive.org/web/20240923153453/https://github.com/privacysexy-forks/windows-com-objects/blob/ff00b455604546b70c8bb7c200823332af96e641/Data/CASE_Windows10_20H2/comx86/comAppId.csv "windows-com-objects/Data/CASE_Windows10_20H2/comx86/comAppId.csv at ff00b455604546b70c8bb7c200823332af96e641 ยท privacysexy-forks/windows-com-objects | github.com" + [9]: https://archive.ph/2024.08.31-105522/https://www.dllme.com/dll/files/mpuxhostproxy "mpuxhostproxy.dll : Free .DLL download. | www.dllme.com" + [10]: https://web.archive.org/web/20240830202110/https://www.herdprotect.com/mpuxsrv.exe-8bc4fa864c753f26969a98a6ba42553e16982c51.aspx "Malware scan of MpUxSrv.exe (WD modern host server) 8bc4fa864c753f26969a98a6ba42553e16982c51 - herdProtect | www.herdprotect.com" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpUXSrv.exe' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\Software\Classes\AppID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\Software\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MPUXAGENT.DLL' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.Defender.MpUxDlp + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\AppID\{1111a26d-ef95-4a45-9f55-21e52adf9887} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\mpuxhostproxy.dll' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller - category: Disable Defender Exploit Guard docs: |- - This category disables Windows Defender Exploit Guard, potentially enhancing privacy and + This category disables Defender Exploit Guard, potentially enhancing privacy and system performance. Exploit Guard is also called **Windows Defender Exploit Guard** [1] [2] [3] [4] [5] @@ -19621,7 +23091,7 @@ actions: It also increases user autonomy by enabling choices about which programs, scripts, and websites can connect without automatic intervention. - Disabling Exploit Guard may reduce protection against certain types of attacks. + However, disabling Exploit Guard may reduce protection against certain types of attacks. Users should carefully weigh the trade-offs between enhanced privacy/performance and potential security risks when disabling this feature. @@ -19641,7 +23111,7 @@ actions: They can also be remotely configured and set up in managed environments, such as enterprise organizations [2]. Disabling Exploit Guard can affect local or organizational configurations, such as those set by schools or employers. - Defender Antivirus is the built-in antimalware component in Windows [5]. + **Defender Antivirus** is the built-in antimalware component in Windows [5]. Exploit Guard operates independently from Defender Antivirus [5]. However, some features, like Attack Surface Reduction, depend on Defender Antivirus to function [1]. Exploit Guard may also require Defender Antivirus for some of its configurations [6]. @@ -19726,6 +23196,148 @@ actions: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' taskPathPattern: \Microsoft\Windows\ExploitGuard\ taskNamePattern: ExploitGuard MDM policy Refresh + - + category: Disable outdated Defender Application Guard + docs: |- + This category provides scripts to disable the deprecated Defender Application Guard, a feature + originally designed to protect business environments. + + Defender Application Guard is also referred to as **Microsoft Defender Application Guard (MDAG)** [1]. + It was formerly known as Windows Defender Application Guard [2]. + It uses hardware isolation to protect against internet-based attacks [1]. + It creates Hyper-V-enabled containers to isolate potentially harmful content [1]. + + MDAG consists of two main components: + + | Component | Description | + | --------- | ----------- | + | **Application Guard for Edge** [3] | Isolates untrusted websites in a separate container [1] | + | **Application Guard for Office** [3] | Opens untrusted Word, PowerPoint, and Excel files in an isolated environment [1] | + + Microsoft deprecated MDAG in 2023 and no longer provides updates [1] [3]. + Despite this, its components remain present in modern Windows computers [4]. + + Disabling MDAG can enhance privacy by reducing data collection associated with this feature. + It can also improve system performance by eliminating the overhead of running isolated containers. + Furthermore, it can increase security by removing outdated software and reducing your attack surface. + + However, disabling MDAG may reduce some security protections, particularly for enterprise users. + It may also affect functionality on work or school computers that rely on this feature. + + > **Caution**: + > Disabling this feature may decrease security in Edge and Office, and interfere with enterprise settings. + + [1]: https://web.archive.org/web/20240830165604/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview "Microsoft Defender Application Guard | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830165525/https://www.microsoft.com/en-us/security/blog/2017/10/23/making-microsoft-edge-the-most-secure-browser-with-windows-defender-application-guard/ "Making Microsoft Edge the most secure browser with Windows Defender Application Guard | Microsoft Security Blog | www.microsoft.com" + [3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240830165507/https://strontic.github.io/xcyclopedia/library/clsid_F80FC80C-6A04-46FB-8555-D769E334E9FC.html "CLSID F80FC80C-6A04-46FB-8555-D769E334E9FC | WindowsDefenderApplicationGuardCSP | STRONTIC | strontic.github.io" + children: + - + name: Disable Defender Application Guard isolation + recommend: null # Though outdated, it is significant security feature + docs: |- + This script disables the deprecated Defender Application Guard feature, which + isolates applications to enhance security. + + Application Guard uses **Windows Hypervisor** to create a secure virtual environment for certain apps [1]. + This isolation protects the system kernel and other applications from threats due to improper user + interactions or vulnerabilities in isolated apps [1]. + Microsoft deprecated the Application Guard feature in 2023 and no longer provides updates [2]. + + Disabling this feature may improve privacy by reducing system monitoring of application behavior in isolated + environments. + It can also boost system performance by freeing resources allocated to virtualization. + Additionally, it may increase security by removing deprecated software and reducing your attack surface. + However, it may also reduce security by removing a protective layer against threats from untrusted sources. + + > **Caution:** + > Disabling Application Guard may expose your system to increased security risks from malicious applications. + + ### Technical Details + + This script sets the registry value `AllowAppHVSI_ProviderSet` to `0` in the `HKLM\SOFTWARE\Policies\Microsoft\AppHVSI` + key, effectively disabling the Defender Application Guard [1] [3]. + + [1]: https://web.archive.org/web/20240830171011/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AllowAppHVSIConfig "Turn on Microsoft Defender Application Guard in Managed Mode | admx.help" + [2]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240830171005/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp#settingsallowwindowsdefenderapplicationguard "WindowsDefenderApplicationGuard CSP | Microsoft Learn | learn.microsoft.com" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI + valueName: AllowAppHVSI_ProviderSet + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Application Guard remote configuration + recommend: strict # Deprecated feature: No security benefits, potential privacy risks for personal use + docs: |- + This script disables Defender Application Guard's remote configuration capability. + + Defender Application Guard uses virtualization to isolate untrusted websites and files [1]. + As of 2023, Microsoft has discontinued support and updates for the Application Guard feature [2]. + + This feature can be configured remotely using tools like Microsoft Intune [3]. + Remote management of this feature is done through Configuration Service Providers (CSPs) [3] [4]. + + Disabling this feature enhances privacy by preventing remote modifications to your Application Guard settings. + It can potentially improve system performance by freeing up resources previously used for virtualization. + It can also enhance security by removing outdated software and reducing your attack surface. + However, disabling this feature may reduce security by blocking automatic security updates from your organization. + + > **Caution**: + > Disabling this feature may limit management systems' ability to adjust security settings automatically. + + ### Technical Details + + This script performs the following actions: + + - Deletes the **WindowsDefenderApplicationGuardCSP** COM object (CLSID `F80FC80C-6A04-46FB-8555-D769E334E9FC`) [5]. + - Removes the `windowsdefenderapplicationguardcsp.dll` file from the Windows System32 folder [5]. + + For more information on related configurations and the full range of settings affected, + see the official Microsoft documentation on the Defender Application Guard CSP [4]. + + [1]: https://web.archive.org/web/20240830165604/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview "Microsoft Defender Application Guard | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830171005/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp#settingsallowwindowsdefenderapplicationguard "WindowsDefenderApplicationGuard CSP | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240830172815/https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10 "Settings you can manage with Intune Endpoint Protection profiles for Windows 10/11 devices | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240830171005/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp "WindowsDefenderApplicationGuard CSP | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240830165507/https://strontic.github.io/xcyclopedia/library/clsid_F80FC80C-6A04-46FB-8555-D769E334E9FC.html "CLSID F80FC80C-6A04-46FB-8555-D769E334E9FC | WindowsDefenderApplicationGuardCSP | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{F80FC80C-6A04-46FB-8555-D769E334E9FC} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{F80FC80C-6A04-46FB-8555-D769E334E9FC} + elevateToTrustedInstaller: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\windowsdefenderapplicationguardcsp.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable auditing events in Defender Application Guard + recommend: strict # Deprecated feature; Not a core system feature, improves privacy + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig + - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI + valueName: AuditApplicationGuard + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - category: Disable automatic updates docs: |- @@ -19970,33 +23582,70 @@ actions: - name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) docs: |- - This script disables the Windows Update Medic Service. This service runs quietly in the background [1], - making sure that parts related to Windows updates are working as they should [1] [2]. - - This service can undo any adjustments you've made to your Windows Update settings without your consent. - For example, it can re-enable automatic Windows updates [3]. - That can interfere if you've tailored these settings for better privacy or security. - - By default, the service is enabled and its startup setting is set to manual [4] [5]. It executes - `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [5], known as "WaasMedic Service Dll" [6]. It stores remediation - configuration such as registry keys, tasks and services at `%WINDIR%\WaaS\` folder [7] [8] [9]. - Other related files include: - - | Path | Description | Windows 10 22H2 | Windows 11 23H2 | - | ---- |:-----------:|:---------------:|:---------------:| - | `%SYSTEMROOT%\System32\WaaSMedicAgent.exe` | WaasMedic Agent Exe | โœ… Exists | โŒ Missing | - | `%SYSTEMROOT%\System32\WaaSMedicCapsule.dll` | WaasMedic Capsule Exe | โœ… Exists | โŒ Missing | - | `%SYSTEMROOT%\System32\WaaSMedicPS.dll` | WaaS Medic Proxy Stub library | โœ… Exists | โœ… Exists | - | `%SYSTEMROOT%\System32\WaaSAssessment.dll` | WaaS Assessment | โœ… Exists | โœ… Exists | - | `%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll` | WaaS Assessment | โŒ Missing | โœ… Exists | - | `%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll` | WaaS Assessment | โŒ Missing | โœ… Exists | - - > **Caution:** While this script provides greater control over Windows Update operations and enhances user - > privacy by limiting unsolicited data transmission to Microsoft, it's important to be aware of the potential - > impacts on system stability and update integrity. Disabling the Windows Update Medic Service prevents the - > self-healing capability of Windows Updates, favoring the maintenance of user-defined update preferences. + This script disables the Windows Update Medic Service (`WaaSMedicSvc`) and removes its + associated files and registry entries. + This service runs continuously in the background and maintains Windows Update components [1] [2] [3]. - ### Overview of default service statuses + Disabling this service prevents it from reverting your Windows Update settings, such as re-enabling + automatic updates without your permission [4]. + This gives you more control over your system's update behavior and settings. + + This script enhances your privacy by reducing data transmission to Microsoft related to Windows + Update processes. + + Disabling the service improves system performance by eliminating a background process. + + However, this can affect system stability and update reliability over time. + It may lead to update failures or incomplete updates. + As a result, you may miss critical security updates, potentially exposing your system to security + vulnerabilities. + + > **Caution**: + > Disabling this service may stop Windows from automatically fixing update issues. + > This may lead to update failures or security vulnerabilities if updates are not managed manually. + + ### Technical Details + + By default, the service is enabled with a manual startup type [5] [6]. + It runs `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [6], also known as the "WaaSMedic Service DLL" [7]. + It stores remediation settings like registry keys, tasks, and services in the `%WINDIR%\WaaS\` folder [8] [9] [10]. + + This script disables the service, terminates and blocks its executable, and removes its files + and Component Object Model (COM) objects. + + **Services Disabled**: + + - `WaaSMedicSvc` [1] [3] [4] [5] [6] [9] + + **Processes Blocked**: + + - `WaaSMedicAgent.exe` [3] + + **Files Removed**: + + - `%SYSTEMROOT%\UUS\amd64\WaaSMedicSvcImpl.dll` [3] + - `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [3] [6] [7] + - `%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll` [3] + - `%SYSTEMROOT%\System32\WaaSMedicPS.dll` [3] + - `%SYSTEMROOT%\System32\WaaSMedicAgent.exe` [3] + - `%SYSTEMROOT%\System32\WaaSMedicCapsule.dll` [3] + - `%SYSTEMROOT%\System32\WaaSAssessment.dll` [11] + - All files within the `%SYSTEMROOT%\WaaS\` directory [8] [9] [10] + + **COM Objects Removed**: + + - WaaSMedicDocked.CBSHelper (ActivatableClassId: `Windows.Internal.WaaSMedicDocked.CBSHelper`) [3] + - WaaSMedicSvc (AppID: `2ED83BAA-B2FD-43B1-99BF-E6149C622692`) + - WaaSMedic Proxy Stub (CLSID: `63480537-5d3d-4c42-8ac4-22a2bc016244`) [3] + - IWaaSRemediationEx (Interface: `B4C1D279-966E-44E9-A9C5-CCAF4A77023D`) [3] + - IWaaSProtectedSettingsProvider (Interface: `e4dc719b-fe77-414f-9dbe-3e4ffea7a7a5`) [3] + - IWaaSRemediationEx types (Typelib: `3ff1aab8-f3d8-11d4-825d-00104b3646c0`) [3] + - `HKLM\Software\Classes\Microsoft.WaaSMedic.1` [3] + - `HKLM\Software\Classes\Microsoft.WaaSMedic` [3] + - WaaSRemediation (CLSID: `72566e27-1abb-4eb3-b4f0-eb431cb1cb32`) + - WaaSProtectedSettingsProvider (CLSID: `9ea82395-e31b-41ca-8df7-ec1cee7194df`) + + #### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | @@ -20005,25 +23654,27 @@ actions: [1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322โ€”Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support" [2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" - [3]: https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates ยท Issue #252 ยท undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [4]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" - [5]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com" - [6]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io" - [7]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1821728182 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" - [8]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net" - [9]: https://web.archive.org/web/20231129203543/https://call4cloud.nl/2022/03/before-we-wipe/ "KB5011487 | KB5011493 | 2022-03 | Windows.old wipe Issue | call4cloud.nl" - call: - - - # Windows 10 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (23H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` + [3]: https://archive.ph/2024.09.14-152730/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" [4]: https://web.archive.org/web/20240828090735/https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates ยท Issue #252 ยท undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [5]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" + [6]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com" + [7]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1821728182 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" + [9]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net" + [10]: https://web.archive.org/web/20231129203543/https://call4cloud.nl/2022/03/before-we-wipe/ "KB5011487 | KB5011493 | 2022-03 | Windows.old wipe Issue | call4cloud.nl" + [11]: https://web.archive.org/web/20240916090531/https://strontic.github.io/xcyclopedia/library/WaaSAssessment.dll-F695BFFC7B607DCEC7701DA68F35B448.html "WaaSAssessment.dll | WaaS Assessment | STRONTIC | strontic.github.io" + call: + - + # Standard service disabling methods proved ineffective in tests. + # Registry modification is required for successful disabling across all tested Windows versions: + # Windows 10 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 11 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 11 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 11 (23H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` function: DisableServiceInRegistry parameters: serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - elevateToTrustedInstaller: 'true' - function: SoftDeleteFiles parameters: @@ -20036,13 +23687,17 @@ actions: - function: SoftDeleteFiles parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) fileGlob: '%SYSTEMROOT%\System32\WaaSMedicAgent.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ” Missing on Windows 11 since 23H2 + maximumWindowsVersion: Windows10-MostRecent - function: SoftDeleteFiles parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) fileGlob: '%SYSTEMROOT%\System32\WaaSMedicCapsule.dll' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ” Missing on Windows 11 since 23H2 + maximumWindowsVersion: Windows10-MostRecent - function: SoftDeleteFiles parameters: @@ -20056,19 +23711,96 @@ actions: - function: SoftDeleteFiles parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) fileGlob: '%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll' grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + minimumWindowsVersion: Windows11-FirstRelease - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll' + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\UUS\amd64\WaaSMedicSvcImpl.dll' grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + minimumWindowsVersion: Windows11-FirstRelease - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\WaaS\*' # Includes `services` and `tasks` folders that defines the desired state configuration on remediation. + fileGlob: '%SYSTEMROOT%\WaaS\*' # Includes `services` and `tasks` folders that defines the desired state configuration on remediation. grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 recurse: 'true' + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.WaaSMedicDocked.CBSHelper + elevateToTrustedInstaller: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2ED83BAA-B2FD-43B1-99BF-E6149C622692} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{2ED83BAA-B2FD-43B1-99BF-E6149C622692} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{63480537-5d3d-4c42-8ac4-22a2bc016244} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Interface\{B4C1D279-966E-44E9-A9C5-CCAF4A77023D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Interface\{e4dc719b-fe77-414f-9dbe-3e4ffea7a7a5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{3ff1aab8-f3d8-11d4-825d-00104b3646c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\TypeLib\{3ff1aab8-f3d8-11d4-825d-00104b3646c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Microsoft.WaaSMedic + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Microsoft.WaaSMedic.1 + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{72566e27-1abb-4eb3-b4f0-eb431cb1cb32} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{9ea82395-e31b-41ca-8df7-ec1cee7194df} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 - name: Disable automatically enabling Windows Update Medic Service recommend: strict @@ -20101,7 +23833,7 @@ actions: [2]: https://web.archive.org/web/20231127032440/https://strontic.github.io/xcyclopedia/library/upfc.exe-299EA296575CCB9D2C1A779062535D5C.html "upfc.exe | Updateability From SCM | STRONTIC | strontic.github.io" [3]: https://en.wikipedia.org/w/index.php?title=Service_Control_Manager&oldid=1063455957 "Service Control Manager - Wikipedia | en.wikipedia.org" [4]: https://web.archive.org/web/20231129135553/https://blogs.windows.com/windows-insider/2018/07/31/announcing-windows-server-2019-insider-preview-build-17723/ "Announcing Windows Server 2019 Insider Preview Build 17723 | Windows Insider Blog | blogs.windows.com" - [5]: https://github.com/undergroundwires/privacy.sexy/issues/272 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" + [5]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" [6]: https://web.archive.org/web/20231129135227/https://www.tenforums.com/windows-updates-activation/104945-stop-windows-10-updates-properly-completely-25.html "Stop Windows 10 Updates Properly and Completely Solved - Page 25 - Windows 10 Forums | www.tenforums.com" call: - @@ -20109,13 +23841,7 @@ actions: parameters: fileGlob: '%SYSTEMROOT%\System32\upfc.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 - beforeIteration: |- # Skip Windows versions older than Windows 10 22H2 (build number 19045) to avoid reported blue screen issues. - $osVersion = [System.Environment]::OSVersion.Version - function Test-IsBeforeWin10Version22H2 { ($osVersion.Major -lt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -lt 19045)) } - if (Test-IsBeforeWin10Version22H2) { - Write-Warning 'Skipping the removal of upfc.exe on systems older Windows versions to prevent possible system crashes or errors.' - exit 0 - } + minimumWindowsVersion: Windows10-22H2 # Skip Windows versions older than Windows 10 22H2 to avoid reported blue screen issues. - function: TerminateAndBlockExecution parameters: @@ -20681,18 +24407,29 @@ actions: - name: Disable "PerformRemediation" task docs: |- - This script disables the "PerformRemediation" scheduled task. + This script disables the `PerformRemediation` scheduled task in Windows. - This task is responsible for performing remediation or recovery actions for update-related services, ensuring that these services - are running in a supported configuration, particularly after updates. + This task performs recovery actions for update-related services to ensure they run in a supported configuration. - According to the Task Scheduler, this task aids in recovering update-related services to a supported configuration. + Disabling this task enhances privacy by reducing automatic system changes and limiting data collection related to updates. + It enhances control over system settings, letting users manage update configuration tasks without being overridden by the system. + It improves performance by preventing unnecessary background processes. + Microsoft recommends disabling this task in certain environments to minimize data collection and improve performance [1]. - This task restarts Windows Update Medic Service (`WaaSMedicSvc`), even if it is disabled manually [1]. - - Microsoft suggests disabling this task to minimize data collection and optimize performance [2]. + However, disabling this task may interfere with Windows' ability to fix update-related issues automatically, possibly + causing future update problems. - ### Overview of default task statuses + > **Caution**: + > Disabling this task may prevent Windows from automatically resolving update-related problems, + > which may affect system stability and security over time. + + ### Technical Details + + The `PerformRemediation` task is part of the **Windows Update Medic Service** [2]. + It can restart the Windows Update Medic Service even if the service is manually disabled [3]. + The task is located at `\Microsoft\Windows\WaaSMedic\PerformRemediation` [2]. + + #### Overview of default task statuses `\Microsoft\Windows\WaaSMedic\PerformRemediation`: @@ -20702,8 +24439,9 @@ actions: | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | - [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" - [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" + [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" + [2]: https://archive.ph/2024.09.14-152730/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" call: function: DisableScheduledTask parameters: @@ -20961,7 +24699,7 @@ actions: > **Caution**: This script postpones critical security updates, increasing potential security risks for your computer. - [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" + [1]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" call: - function: SetRegistryValue @@ -21665,6 +25403,7 @@ actions: parameters: packageName: Microsoft.SecHealthUI # Get-AppxPackage Microsoft.SecHealthUI publisherId: 8wekyb3d8bbwe + - category: UI for privacy children: @@ -29547,7 +33286,7 @@ actions: [6]: https://web.archive.org/web/20240218225733/https://github.com/undergroundwires/privacy.sexy/issues/166 "[BUG]: Network & Internet Problem after using the script ยท Issue #166 ยท undergroundwires/privacy.sexy | GitHub | github.com/undergroundwires/privacy.sexy" [7]: https://web.archive.org/web/20240812132702/https://github.com/undergroundwires/privacy.sexy/issues/225 "[Improvements] possible workaround for issue #110 ยท Issue #225 ยท undergroundwires/privacy.sexy ยท GitHub | github.com" [8]: https://web.archive.org/web/20240812131424/https://github.com/undergroundwires/privacy.sexy/issues/314 "[BUG]: Script that breaks calendar in taskbar ยท Issue #314 ยท undergroundwires/privacy.sexy ยท GitHub | github.com" - [9]: https://archive.ph/2024.08.12-133902/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038%23WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + [9]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" [10]: https://archive.ph/2024.08.12-133132/https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3%23WindowsVersion=Windows_10 "Windows 10 | Customize the taskbar notification area - Microsoft Support | support.microsoft.com" [11]: https://archive.ph/2024.08.12-133105/https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3%23WindowsVersion=Windows_11 "Windows 11 | Customize the taskbar notification area - Microsoft Support | support.microsoft.com" [12]: https://web.archive.org/web/20240812131129/https://github.com/undergroundwires/privacy.sexy/issues/227 "[BUG]: Disabling \"Windows Push Notification Service\" also breaks action center ยท Issue #227 ยท undergroundwires/privacy.sexy ยท GitHub | github.com" @@ -30373,7 +34112,7 @@ functions: # Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them. # It does not touch any of the folders. # This allows for easier restoration and less immediate disruption compared to permanent deletion. - # Try `grantPermissions` to elevate privileges first then `elevateToTrustedInstaller` as last effort.ยด + # Try `grantPermissions` to elevate privileges first then `elevateToTrustedInstaller` as last effort. parameters: - name: fileGlob - name: grantPermissions # Grants permission on the files found, and restores original permissions after modification. @@ -30382,7 +34121,11 @@ functions: optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + - name: elevateToTrustedInstaller # Only use if `grantPermissions` fails, see `RunPowerShellWithOptionalElevation` + optional: true + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true call: - @@ -30399,6 +34142,8 @@ functions: - function: IterateGlob parameters: + maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' pathGlob: '{{ $fileGlob }}' revertPathGlob: '{{ $fileGlob }}.OLD' @@ -30565,7 +34310,7 @@ functions: Write-Host "Successfully processed $renamedCount items and skipped $skippedCount items." } if ($failedCount -gt 0) { - Write-Warning "Failed to processed $($failedCount) items." + Write-Warning "Failed to process $($failedCount) items." } {{ with $grantPermissions }} [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null @@ -30742,23 +34487,25 @@ functions: optional: true - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true - - name: setupCode # PowerShell code to execute before elevation. + - name: setupCodeUnelevated # PowerShell code to execute before elevation. + optional: true + - name: setupCodeElevated # PowerShell code to execute after elevation. optional: true docs: |- - This function executes PowerShell code with optional TrustedInstaller privileges, whic - may be required for performing system-level tasks that require the highest permission levels. + This function executes PowerShell code with optional TrustedInstaller privileges, which + may be required for performing system-level tasks that require the highest permission levels. - It is designed to handle tasks that cannot be completed under normal user or administrator privileges, - such as modifying protected registry keys or system files. + It is designed to handle tasks that cannot be completed under normal user or administrator privileges, + such as modifying protected registry keys or system files. call: function: RunPowerShellWithWindowsVersionConstraints parameters: minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' # Issues and workarounds: - # privacy.sexy word triggering Defender (https://github.com/undergroundwires/privacy.sexy/issues/421) + # - privacy.sexy word triggering Defender (https://github.com/undergroundwires/privacy.sexy/issues/421) # Using `cAByAGkAdgBhAGMAeQAuAHMAZQB4AHkA` base64 encoding of `privacy.sexy` - # PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. + # - PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. # Seen e.g. on Windows 11 when reverting scripts after executing them and reboot. # They are seen to throw different exceptions: # - `Unregister-ScheduledTask : The system cannot find the file specified` @@ -30777,83 +34524,86 @@ functions: # - โŒ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - โœ… Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. + # - Inlining is not working when elevated, should use `{{ . | inlinePowerShell}}` when elevated (refactor-with-if-syntax). + # Inlinining PowerShell would help save space to not hit maximum batch command length limit (8191) setupCode: |- {{ with $elevateToTrustedInstaller }} - function Invoke-AsTrustedInstaller { - param ( ` - [Parameter(Mandatory=$true)] ` - [string]$Script ` - ) - $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') - $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) - $streamOutFile = New-TemporaryFile + function Invoke-AsTrustedInstaller($Script) { + $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') + $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]) + $streamFile = New-TemporaryFile $scriptFile = New-TemporaryFile try { $scriptFile = Rename-Item ` -LiteralPath $scriptFile ` - -NewName "$($scriptFile.BaseName).ps1" ` + -NewName ($scriptFile.BaseName + '.ps1') ` + -Force ` -PassThru $Script | Out-File $scriptFile -Encoding UTF8 - $taskName = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(('cAByAGkAdgBhAGMAeQAuAHMAZQB4AHkA'))) + ' invoke' - schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output - $scriptExecutionCommand = "powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamOutFile' -Encoding UTF8" - $taskAction = New-ScheduledTaskAction ` + $taskName = "privacy$([char]0x002E)sexy invoke" + schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null + $executionCommand = "powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8" + $action = New-ScheduledTaskAction ` -Execute 'powershell.exe' ` - -Argument "-ExecutionPolicy Bypass -Command `"$scriptExecutionCommand`"" - $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries + -Argument "-ExecutionPolicy Bypass -Command `"$executionCommand`"" + $settings = New-ScheduledTaskSettingsSet ` + -AllowStartIfOnBatteries ` + -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` - -Action $taskAction ` + -Action $action ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() - $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null - $timeOutLimit = (Get-Date).AddMinutes(5) - Write-Host "Running as `"$trustedInstallerName`"" - while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { + $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null + $timeout = (Get-Date).AddMinutes(5) + Write-Host "Running as $principalName" + while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 - if((Get-Date) -gt $timeOutLimit) { - Write-Warning "Skipping results, it took so long to execute script." + if ((Get-Date) -gt $timeout) { + Write-Warning 'Skipping: Timeout' break } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { - Write-Error "Failed to execute with exit code: $result." + Write-Error "Failed, due to exit code: $result." } } finally { - schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors + schtasks.exe /delete /tn $taskName /f | Out-Null } - Get-Content $streamOutFile + Get-Content $streamFile } finally { - Remove-Item $streamOutFile, $scriptFile + Remove-Item $streamFile, $scriptFile } } {{ end }}{{ with $setupCode }} - {{ . }} + {{ . {{ with $elevateToTrustedInstaller }} | inlinePowershell {{ end }} }} {{ end }} code: |- {{ with $elevateToTrustedInstaller }} - $command = @' + $cmd = @' {{ end }} + {{ with $setupCodeElevated }} {{ . }} {{ end }} {{ $code }} {{ with $elevateToTrustedInstaller }} '@ - Invoke-AsTrustedInstaller "$command" + Invoke-AsTrustedInstaller $cmd {{ end }} revertCode: |- {{ with $revertCode }} {{ with $elevateToTrustedInstaller }} - $command = @' + $cmd = @' {{ end }} + {{ with $setupCodeElevated }} {{ . }} {{ end }} {{ . }} {{ with $elevateToTrustedInstaller }} '@ - Invoke-AsTrustedInstaller "$command" + Invoke-AsTrustedInstaller $cmd {{ end }} {{ end }} - @@ -31023,9 +34773,13 @@ functions: # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 optional: true + - + name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true call: - function: RunPowerShell + function: RunPowerShellWithOptionalElevation parameters: + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' # Unsupported arguments -> # Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`, # `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms @@ -31507,10 +35261,16 @@ functions: optional: true - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` optional: true + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true call: function: RunPowerShellWithOptionalElevation parameters: elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' + maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' code: |- $pathGlobPattern = "{{ $pathGlob }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern) @@ -32673,10 +36433,11 @@ functions: - function: RunPowerShellWithOptionalElevation parameters: - setupCode: '{{ with $setupCode }}{{ . }}{{ end }}' + setupCodeUnelevated: '{{ with $setupCode }}{{ . }}{{ end }}' minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' code: |- + $registryPath = '{{ $keyPath }}' $data = '{{ $data }}' {{ with $evaluateDataAsPowerShell }} $data = $({{ $data }}) @@ -32993,7 +36754,7 @@ functions: | Where-Object { $_.Value -eq $executableFilename } if ($existingBlockingRuleForExecutable) { $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name - Write-Output "Skipping, no action needed: `$executableFilename` is already blocked under rule index `"$existingBlockingRuleIndexForExecutable`"." + Write-Output "Skipping, no action needed: '$executableFilename' is already blocked under rule index `"$existingBlockingRuleIndexForExecutable`"." exit 0 } $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties ` @@ -33476,7 +37237,7 @@ functions: 'Windows10-1909' { '10.0.18363' } 'Windows10-1607' { '10.0.14393' } default { - throw "Internal privacy.sexy error: No build for minimum Windows '$versionName'" + throw "Internal privacy$([char]0x002E)sexy error: No build for minimum Windows '$versionName'" } } $minVersion = [System.Version]::Parse($buildNumber) @@ -33495,7 +37256,7 @@ functions: 'Windows10-1909' { '10.0.18363' } 'Windows10-1903' { '10.0.18362' } default { - throw "Internal privacy.sexy error: No build for maximum Windows '$versionName'" + throw "Internal privacy$([char]0x002E)sexy error: No build for maximum Windows '$versionName'" } } $maxVersion=[System.Version]::Parse($buildNumber) @@ -33719,7 +37480,7 @@ functions: $path = "$($hive):$($rawPath.Substring($hive.Length))" Write-Host "Restoring value '$value' at '$path' with type '$rawType' and value '$data'." if (-Not $rawType) { - throw "Internal privacy.sexy error: Data type is not provided for data '$data'." + throw "Internal privacy$([char]0x002E)sexy error: Data type is not provided for data '$data'." } if (-Not (Test-Path -LiteralPath $path)) { try { @@ -33749,7 +37510,7 @@ functions: 'REG_QWORD' { 'QWord' } 'REG_EXPAND_SZ' { 'ExpandString' } default { - throw "Internal privacy.sexy error: Failed to find data type for: '$rawType'." + throw "Internal privacy$([char]0x002E)sexy error: Failed to find data type for: '$rawType'." } } Set-ItemProperty ` @@ -34002,7 +37763,7 @@ functions: valueName: 'HiddenByDefault' dataType: REG_DWORD data: '1' # It hides on Windows 11 Pro (โ‰ฅ 23H2) 11, this is the default behavior but this value is missing by default - deleteOnRevert: 'true' # Missing on Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + deleteOnRevert: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) minimumWindowsVersion: Windows11-FirstRelease # `HiddenByDefault` has no effect Windows 10 - function: SetRegistryValue @@ -34011,7 +37772,7 @@ functions: valueName: 'HideIfEnabled' dataType: REG_DWORD data: '0x22ab9b9' # Default value on Windows 11 Pro (โ‰ฅ 23H2) 11, it hides - dataOnRevert: '0x22ab9b9' # Default value: Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0x22ab9b9` on Windows 11 Pro (โ‰ฅ 23H2) + dataOnRevert: '0x22ab9b9' # Default value: ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0x22ab9b9` on Windows 11 Pro (โ‰ฅ 23H2) minimumWindowsVersion: Windows11-FirstRelease # `HideIfEnabled` has no effect Windows 10 - function: ShowExplorerRestartSuggestion @@ -34422,3 +38183,311 @@ functions: matchDataBeforeDelete: '{{ $progId }}' minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + - + name: DisablePushNotifications + parameters: + - name: appUserModelId # The Application User Model ID (AppUserModelID) of the target application. + docs: |- + This function disables push/toast notifications for a given application by modifying registry + keys associated with Windows notification settings. + + These application user model IDs (AppUserModelId) are extensively used by the Windows taskbar to + associate processes, files, and windows with particular applications [1]. + Notifications in Windows point to these IDs [2] [3]. + Existence of these IDs can be verified by checking `HKCR\AppUserModelId\{{ appUserModelId }}` + registry key. + + The function performs the following registry operations: + + - Configures `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\{{ appUserModelId }}!Enabled`. + - This mirrors the behavior when a user disables notifications via the Windows UI [4]. + - These values do not exist by default on newer Windows versions (Windows 10 Pro โ‰ฅ 22H2, Windows 11 Pro โ‰ฅ 23H2). + - Soft-deletes the key `HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\{{ appUserModelId }}`. + - This key is typically owned by TrustedInstaller and may contain application-specific notification configurations [2]. + - Soft-deletes the key `HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\{{ appUserModelId }}`. + - This key is typically registered by default for each notifying application [3]. + + [1]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240902090432/https://stackoverflow.com/questions/67005337/how-works-notifications-on-windows-registry-no-shortlink/67005338#67005338 "How works notifications on windows (registry, no shortlink) - Stack Overflow | stackoverflow.com" + [4]: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ "Disabling Windows 10 Notifications via Group Policy | Platforms, Lync, the Cloud, Oh My! | blogs.technet.microsoft.com" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\{{ $appUserModelId }} + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\{{ $appUserModelId }} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\{{ $appUserModelId }} + - + name: SoftDeleteRegistryKey + parameters: + - name: keyPath # Full path of the subkey or entry to be deleted. No glob/wildcard interpretation. + - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + docs: |- + This function recursively renames a specified registry key, all its subkeys, and all their + values by adding ".OLD" suffix. + + It provides an alternative to deleting registry keys when: + + - Preserving permissions on revert are important as renaming would preserve the original OS permissions. + - Default OS settings are deep or contains multiple values, this way the original revert data is preserved. + + ### Order of processing + + For a sample registry structure: + + ``` + Root key + โ”œโ”€โ”€ Value 1 + โ”œโ”€โ”€ Value 2 + โ”œโ”€โ”€ Value 3 + โ”œโ”€โ”€ Subkey 1 + โ”‚ โ”œโ”€โ”€ Value 1 + โ”‚ โ””โ”€โ”€ Value 2 + โ””โ”€โ”€ Subkey 2 + โ”œโ”€โ”€ Value 1 + โ””โ”€โ”€ Value 2 + ``` + + The order of soft deletion would be: + + 1. Rename root key values (Value 1, Value 2, Value 3) + 2. Rename Subkey 1 values (Value 1, Value 2) + 3. Rename Subkey 1 itself + 4. Rename Subkey 2's values (Value 1, Value 2) + 5. Rename Subkey 2 itself + 6. Rename the root key + + The revert process supports recovering from partially failed soft deletion: + + 1. Restore root key + 2. Restore root key values (Value 1, Value 2, Value 3) + 3. Restore Subkey 1 itself + 4. Restore Subkey 1 values (Value 1, Value 2) + 5. Restore Subkey 2 itself + 6. Restore Subkey 2's values (Value 1, Value 2) + call: + - + function: Comment + parameters: + codeComment: >- + Soft-delete the registry key: {{ $keyPath }} + {{ with $elevateToTrustedInstaller }}as TrustedInstaller{{ end }} + revertCodeComment: >- + Restore registry key: {{ $keyPath }} + {{ with $elevateToTrustedInstaller }}as TrustedInstaller{{ end }} + - + function: RunPowerShellWithOptionalElevation + parameters: + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' + maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' + # Issues and workarounds: + # - Copy values before deleting to ensure partial deletions if keys are protected + # - Explicitly copy ACLs as `reg copy` and `Rename-Item`, `Copy-Item` don't preserve them + # Use bottom-up traversal to avoid permission errors due to lack of parrent access. + # - Handle copy and delete separately to avoid leftover copies on failure. + # `Rename-Item` keeps a copy when it fails. + # - Modify ACL object before `Set-Acl` to ensure populated data. + # Workaround for https://stackoverflow.com/a/4784764. + # Above workaround does not set inheritence correctly, so using SDDL, reproduce: + # 1. Copy HKLM\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF} + # 2. Check Permissions > Advanced Security + # - Use -Path instead of -LiteralPath for `Get-Acl` and `Set-Acl` with registry keys + setupCodeElevated: |- + function Copy-Acl($Src, $Dst) { + $srcKeys = @(Get-ChildItem -LiteralPath $Src -ErrorAction SilentlyContinue) + foreach ($key in $srcKeys) { + $dstKey = Join-Path $Dst $key.PSChildName + Copy-Acl -Src $key.PSPath -Dst $dstKey + } + $acl = Get-Acl -Path $Src -ErrorAction Stop + $sections = [System.Security.AccessControl.AccessControlSections]::All -band (-bnot [System.Security.AccessControl.AccessControlSections]::Owner) + $sddl = $acl.GetSecurityDescriptorSddlForm($sections) + $acl.SetSecurityDescriptorSddlForm($sddl, $sections) + Set-Acl -Path $Dst -AclObject $acl -ErrorAction Stop + } + function Rename-KeyWithAcl($Old, $New) { + try { + Copy-Item -LiteralPath $Old -Destination $New -Recurse -Force -ErrorAction Stop + } catch { + throw "Failed to copy: $_" + } + try { + Copy-Acl -Src $Old -Dst $New + } catch { + Write-Warning "Failed to copy ACL: $_" + } + try { + Remove-Item -LiteralPath $Old -Force -Recurse -ErrorAction Stop | Out-Null + } catch { + try { + Remove-Item -LiteralPath $New -Force -Recurse -ErrorAction Stop | Out-Null + } catch { + Write-Warning "Failed to clean up: $_" + } + throw "Failed to remove: $_" + } + } + code: |- + $rawPath='{{ $keyPath }}' + $suffix='.OLD' + $global:ok = 0 + $global:skip = 0 + $global:fail = 0 + function Rename-KeyTree($Path) { + Write-Host "Processing key: $Path" + if (-Not (Test-Path -LiteralPath $Path)) { + Write-Host 'Skipping: Key does not exist.' + $global:skip++ + return + } + $values = (Get-Item -LiteralPath $Path -ErrorAction Stop | Select-Object -ExpandProperty Property) + foreach ($value in $values) { + Write-Host "Renaming '$value'" + if ($value.EndsWith($suffix)) { + Write-Host 'Skipping: Has suffix.' + $global:skip++ + continue + } + $backupName = $value + $suffix + Write-Host "Renaming to '$backupName'." + try { + Rename-ItemProperty -LiteralPath $Path -Name $value -NewName $backupName -ErrorAction Stop + Write-Host 'Successfully renamed.' + $global:ok++ + } catch { + Write-Warning "Failed to rename value: $_" + $global:fail++ + } + } + $subkeys = @(Get-ChildItem -LiteralPath $Path -ErrorAction SilentlyContinue) + foreach ($key in $subkeys) { + Rename-KeyTree $key.PSPath + } + Write-Host "Renaming key '$Path'." + if ($Path.EndsWith($suffix)) { + Write-Host 'Skipping: Has suffix.' + $global:skip++ + } else { + $backupPath = $Path + $suffix + while (Test-Path -LiteralPath $backupPath) { + $backupPath += $suffix + } + Write-Host "Renaming to '$backupPath'." + try { + Rename-KeyWithAcl -Old $Path -New $backupPath -ErrorAction Stop + Write-Host 'Successfully renamed.' + $global:ok++ + } catch { + Write-Warning "Failed to rename: $_" + $global:fail++ + } + } + } + Write-Host "Soft deleting registry key '$rawPath' recursively." + $hive = $rawPath.Split('\')[0] + $path = $hive + ':' + $rawPath.Substring($hive.Length) + Rename-KeyTree $path + $totalItems = $global:ok + $global:skip + $global:fail + Write-Host "Total items: $totalItems, Renamed: $global:ok, Skipped: $global:skip, Failed: $global:fail" + if (($totalItems -eq 0) -or ($totalItems -eq $global:skip)) { + Write-Host 'No items were processed. The operation had no effect.' + } elseif ($global:fail -eq $totalItems) { + throw "Operation failed. All $global:fail items could not be processed." + } elseif ($global:ok) { + Write-Host "Successfully processed $global:ok item(s)." + } + revertCode: |- + $rawPath='{{ $keyPath }}' + $suffix ='.OLD' + $global:fail = 0 + $global:ok = 0 + function Get-Real($s) { + while ($s.EndsWith($suffix)) { + $s = $s.Substring(0, $s.Length - $suffix.Length) + } + return $s + } + function Restore-KeyTree($Path) { + $dest = Get-Real $Path + $src = $Path + Write-Host "Restoring key: '$dest' from '$src'" + if (-Not $src.EndsWith($suffix)) { + $src += $suffix + if (-Not (Test-Path -LiteralPath $src)) { + Write-Host 'Skipping: No data.' + Restore-Children $dest + return + } + } + if (Test-Path -LiteralPath $dest) { + Write-Host 'Skipping to avoid data loss. Key already exists.' + Write-Warning "Manual intervention may be required to fully restore from '$src'." + } else { + try { + Rename-KeyWithAcl -Old $src -New $dest -ErrorAction Stop + Write-Host 'Successfully restored.' + $global:ok++ + } catch { + Write-Warning "Failed: $_" + $global:fail++ + } + } + Restore-Children $dest + } + function Restore-Children($Path) { + Write-Host "Restoring values in '$Path'" + if (-Not (Test-Path -LiteralPath $Path)) { + Write-Host 'Skipping: Key does not exist. No action needed.' + return + } + $values = ( ` + Get-Item -LiteralPath $Path -ErrorAction Stop | Select-Object -ExpandProperty Property ` + ) + foreach ($value in $values) { + Write-Host "Restoring value '$value'" + if (-Not $value.EndsWith($suffix)) { + Write-Host 'Skipping: No action needed.' + continue + } + $real = Get-Real $value + Write-Host "Renaming to '$real'." + try { + Rename-ItemProperty -LiteralPath $Path -Name $value -NewName $real -ErrorAction Stop + Write-Host 'Successfully restored.' + $global:ok++ + } catch { + Write-Warning "Failed: $_" + $global:fail++ + } + } + $keys = @(Get-ChildItem -LiteralPath $Path -ErrorAction SilentlyContinue) + foreach ($key in $keys) { + Restore-KeyTree $key.PSPath + } + } + Write-Host "Restoring registry key '$rawPath' recursively." + $hive = $rawPath.Split('\')[0] + $path = $hive + ':' + $rawPath.Substring($hive.Length) + Restore-KeyTree $path + if ($global:fail) { + Write-Error 'Failed to restore' + Exit 1 + }