├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── AchillesScript.cmd ├── LICENSE ├── Media ├── AchillesScript.ico ├── AchillesScript.png ├── tui_en.png └── tui_ru.png └── README.md /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /AchillesScript.cmd: -------------------------------------------------------------------------------- 1 | ::https://github.com/lostzombie/AchillesScript 2 | @echo off 3 | 4 | ::##Setting#################################################################### 5 | 6 | ::set NoBackup=1 7 | ::set NoSecHealth=1 8 | 9 | ::############################################################################# 10 | 11 | cls&chcp 65001>nul 2>&1&color 0F 12 | set "asv=ver 1.6.5" 13 | set AS=Achilles 14 | set "ifdef=if defined" 15 | set "ifNdef=if not defined" 16 | set "else=^|^|" 17 | set "then=^&^&" 18 | dir "%windir%\sysnative">nul 2>&1&&set "sysdir=%windir%\sysnative"||set "sysdir=%windir%\system32" 19 | if "%sysdir%"=="X:\windows\system32" set "sys=" 20 | for %%i in (C D E F G H I J K L M N O P Q R S T U V W Y Z) do ( 21 | if exist "%%i:\Windows\System32" ( 22 | set "sys=%%i" 23 | goto :SysFound 24 | ) 25 | ) 26 | :SysFound 27 | set "sysdir=%sys%:\windows\system32" 28 | set "cmd=%sysdir%\cmd.exe" 29 | set "reg=%sysdir%\reg.exe" 30 | set "ra=%reg% add" 31 | set "rq=%reg% query" 32 | set "rd=%reg% delete" 33 | set "rs=%reg% save" 34 | set "dw=REG_DWORD" 35 | set "sz=REG_SZ" 36 | set "bcdedit=%sysdir%\bcdedit.exe" 37 | set "sc=%sysdir%\sc.exe" 38 | set "findstr=%sysdir%\findstr.exe" 39 | set powershell="%sysdir%\WindowsPowerShell\v1.0\powershell.exe" 40 | set "sp=Set-MpPreference" 41 | set "regsvr32=%sysdir%\regsvr32.exe" 42 | set "whoami=%sysdir%\whoami.exe" 43 | set "schtasks=%sysdir%\schtasks.exe" 44 | set "shutdown=%sysdir%\shutdown.exe" 45 | set "timeout=%sysdir%\timeout.exe" 46 | set "reagentc=%sysdir%\reagentc.exe" 47 | set "tk=%sysdir%\taskkill.exe" 48 | set "gpupdate=%sysdir%\gpupdate.exe" 49 | set "Script=%~dpnx0" 50 | set ScriptPS=\"%~dpnx0\" 51 | set ASR="HKLM\Software\%AS%Script" 52 | set "pth=%~dp0" 53 | %ifdef% save goto :SkipFindSave 54 | %rq% %ASR% /v "Save" >nul 2>&1&&for /f "tokens=2*" %%a in ('%rq% %ASR% /v "Save" 2^>nul') do (set "save=%%b"&goto :SkipFindSave) 55 | %ifNdef% save set "save=%pth%" 56 | %ifNdef% usertemp set "usertemp=%tmp%" 57 | set SaveDesktop= 58 | if "%pth%"=="%tmp%\" set SaveDesktop=1 59 | %ifNdef% save if "%pth%"=="%usertemp%\" set SaveDesktop=1 60 | %ifdef% SaveDesktop for /f "tokens=2*" %%a in ('%rq% "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop" 2^>nul') do set "save=%%b" 61 | %ifdef% SaveDesktop for /f "tokens=*" %%a in ('echo %save%') do @set save=%%a 62 | %ifdef% SaveDesktop if not exist "%save%" set "save=%USERPROFILE%\Desktop" 63 | set "save=%save%\Achilles Backup\" 64 | :SkipFindSave 65 | set "arg1=%~1" 66 | set "arg2=%~2" 67 | shift 68 | set "args=%*" 69 | set "tiargs=%args:ti=%" 70 | set "tiargs=%tiargs:~1%" 71 | set "msg=call :2LangMsg" 72 | set "err=call :2LangErr" 73 | set "errn=call :2LangErrNoPause" 74 | set L=ru 75 | set isTrustedInstaller= 76 | set UserSettingDone= 77 | set BackUpDone= 78 | Set PoliciesDone= 79 | ::############################################################################# 80 | set "dl=disable" 81 | set "df=defend" 82 | set "wd=Windows %df%er" 83 | set "ss=SmartScreen" 84 | set "cv=CurrentVersion" 85 | set "scc=\SYSTEM\CurrentControlSet\Control" 86 | set "smw=\Software\Microsoft\Windows" 87 | set "spm=\SOFTWARE\Policies\Microsoft" 88 | set "smwd=%smw% %df%er" 89 | set "smwci=%smw% NT\%cv%\Image File Execution Options" 90 | set "spmwd=%spm%\%wd%" 91 | set "sccd=%scc%\DeviceGuard" 92 | set "scs=\SYSTEM\CurrentControlSet\Services" 93 | set "scl=\SOFTWARE\Classes" 94 | set "uwpsearch=HKLM%scl%\Local Settings%smw%\%cv%\AppModel\PackageRepository\Packages" 95 | set "regback=%save%Registry Backup" 96 | :: 97 | (%rq% "HKCU\Control Panel\International\User Profile\%L%">nul 2>&1) %then% (set Lang=%L%) %else% ((%rq% "HKLM%scc%\Nls\Language" /v Default|find "0x409">nul 2>&1) %then% (set Lang=%L%)) 98 | %ifNdef% Lang (title %AS%' Script) else (title Ахилесов Скрипт) 99 | :: 100 | %whoami% /groups | find "S-1-5-32-544" >nul 2>&1||%ifdef% Lang (echo Запустите этот файл из под учетной записи с правами администратора)&pause&exit else (echo Run this file under an account with administrator rights)&pause&exit 101 | if not exist %powershell% %err% "Error %powershell% file not exist" "Ошибка файл %powershell% не найден" 102 | call :CheckTrusted||%bcdedit% >nul 2>&1||(if AdminRestart==1 %err% "Error - bcdedit is broken or unable to get admin rights using powershell" "Ошибка - bcdedit поломан или невозможно получить права администратора с помощью powershell") 103 | call :CheckTrusted||%bcdedit% >nul 2>&1||(set AdminRestart=1&%msg% "Requesting Administrator privileges..." "Запрос привилегий администратора..."&%powershell% -MTA -NoP -NoL -NonI -EP Bypass -c Start-Process %cmd% -ArgumentList '/c', '%ScriptPS% %args%' -Verb RunAs&exit) 104 | echo test>>"%pth%test.ps1"&&del /f /q "%pth%test.ps1"||(%err% "Testing write error in %pth%test.ps1" "Ошибка тестовой записи в %pth%test.ps1") 105 | echo test>>"%pth%test.cmd"&&del /f /q "%pth%test.cmd"||(%err% "Testing write error in %pth%test.cmd" "Ошибка тестовой записи в %pth%test.cmd") 106 | set REBOOT_PENDING= 107 | %rq% "HKLM%smw%\%cv%\WindowsUpdate\Auto Update\RebootRequired" > nul 2>&1 && set REBOOT_PENDING=1 108 | %rq% "HKLM%smw%\%cv%\Component Based Servicing\RebootPending" > nul 2>&1 && set REBOOT_PENDING=1 109 | %ifNdef% arg1 %ifdef% REBOOT_PENDING %err% "Scheduled actions during reboot, reboot before using the script" "Запланированы действия во время перезагрузки, перед использованием скрипта перезагрузитесь" 110 | %ifdef% arg1 %ifdef% REBOOT_PENDING %errn% "Scheduled actions during reboot, reboot before using the script" "Запланированы действия во время перезагрузки, перед использованием скрипта перезагрузитесь" 111 | ::Args 112 | %ifdef% arg1 ( 113 | for %%i in (apply multi restore block unblock ti backup safeboot winre sac uwpoff uwpon) do if [%arg1%]==[%%i] set "isValidArg=%%i" 114 | %ifNdef% isValidArg %errn% "Invalid command line arguments %args%" "Недопустимые аргументы командной строки %args%" 115 | set isValidArg= 116 | ) 117 | (%rq% %ASR%>nul 2>&1) %then% (%rq% %ASR% /v "BackUpDone" 2>nul|find "1">nul 2>&1) %then% (set BackUpDone=1)>nul 2>&1 118 | (%rq% %ASR%>nul 2>&1) %then% (%rq% %ASR% /v "PoliciesDone" 2>nul|find "1">nul 2>&1) %then% (set PoliciesDone=1)>nul 2>&1 119 | %rd% %ASR% /f >nul 2>&1 120 | %ifNdef% arg1 if exist "%pth%hkcu.txt" del /f /q "%pth%hkcu.txt">nul 2>&1&set UserSettingDone= 121 | if "%arg1%"=="apply" ( 122 | %ifdef% arg2 for %%i in (1 2 3 4 6 policies setting services block) do if [%arg2%]==[%%i] set "isValidArg=%%i" 123 | %ifNdef% isValidArg %errn% "Invalid command line arguments %args%" "Недопустимые аргументы командной строки %args%" 124 | %ifdef% arg2 for %%i in (1 2 3 4 6) do if [%arg2%]==[%%i] call :Menu%%i 125 | if [%arg2%]==[policies] set Policies=1 126 | if [%arg2%]==[setting] set Registry=1 127 | if [%arg2%]==[services] set Services=1 128 | if [%arg2%]==[block] set Block=1 129 | call :MAIN 130 | ) 131 | if "%arg1%" neq "multi" goto :SkipMulti 132 | :multi 133 | set "multi=%~1" 134 | set isValidArg= 135 | %ifdef% multi for %%i in (policies setting services block) do if [%multi%]==[%%i] set "isValidArg=%%i" 136 | %ifNdef% isValidArg %errn% "Invalid command line arguments %args%" "Недопустимые аргументы командной строки %args%" 137 | if [%isValidArg%]==[policies] set Policies=1 138 | if [%isValidArg%]==[setting] set Registry=1 139 | if [%isValidArg%]==[services] set Services=1 140 | if [%isValidArg%]==[block] set Block=1 141 | shift 142 | if [%~1] == [] call :MAIN 143 | goto :multi 144 | :SkipMulti 145 | if "%arg1%"=="restore" call :Menu6 146 | if "%arg1%"=="block" if "%arg2%" neq "" (call :BlockProcess %arg2%&exit /b) 147 | if "%arg1%"=="unblock" if "%arg2%" neq "" (call :UnBlockProcess %arg2%&exit /b) 148 | if "%arg1%"=="ti" (call :TrustedRun "%tiargs%"&exit /b %errorlevel%) 149 | if "%arg1%"=="backup" ( 150 | call :CheckTrusted||del /f /q "%save%MySecurityDefaults.reg">nul 2>&1 151 | call :CheckTrusted||rd /s /q "%regback%">nul 2>&1 152 | call :CheckTrusted||(call :Backup&set UserSettingDone=1) 153 | call :CheckTrusted||(call :TrustedRun "%Script% %args%"&&exit) 154 | call :Backup 155 | exit /b 156 | ) 157 | if "%arg1%"=="safeboot" call :Reboot2Safe only 158 | if "%arg1%"=="winre" call :WinRE&exit /b 159 | if "%arg1%"=="sac" call :SAC&exit /b 160 | if "%arg1%"=="uwpoff" if "%arg2%" neq "" (call :BlockUWP %arg2%&exit /b) 161 | if "%arg1%"=="uwpon" if "%arg2%" neq "" (call :UnBlockUWP %arg2%&exit /b) 162 | if "%arg1%" neq "" %err% "Invalid command line arguments %args%" "Недопустимые аргументы командной строки %args%" 163 | :: 164 | %msg% "Determining the Windows version..." "Определение версии Windows..." 165 | for /f "tokens=4 delims= " %%v in ('ver') do set "win=%%v" 166 | for /f "tokens=3 delims=." %%v in ('echo %win%') do set /a "build=%%v" 167 | for /f "tokens=1 delims=." %%v in ('echo %win%') do set /a "win=%%v" 168 | for /f "tokens=4" %%a in ('ver') do set "WindowsBuild=%%a" 169 | set "WindowsBuild=%WindowsBuild:~5,-1%" 170 | if [%win%] lss [10] %ifdef% Lang (echo Этот скрипт разработан для Windows 10 и новее)&echo.&pause&exit else (echo This Script is designed for Windows 10 and newer)&echo.&pause&exit 171 | for /f "tokens=2*" %%a in ('%rq% "HKLM%smw% NT\%cv%" /v ProductName') do set "WindowsVersion=%%b" 172 | if [%build%] gtr [22000] set WindowsVersion=%WindowsVersion:10=11% 173 | ::############################################################################# 174 | :BEGIN 175 | set isValidItem= 176 | set Item= 177 | call :Screen 178 | %ifNdef% Lang (set /p Item="Enter menu item number using your keyboard [0-6]:") else (set /p Item="Введите номер пункта меню используя клавиатуру [0-6]:") 179 | for %%i in (1 2 3 4 5 6 0) do if [%Item%]==[%%i] set "isValidItem=%%i" 180 | %ifNdef% isValidItem goto :BEGIN 181 | if [%Item%] == [0] exit 182 | call :Menu%Item% 183 | 184 | :Menu1 185 | set Policies=1 186 | call :MAIN 187 | :Menu2 188 | set Registry=1 189 | call :Menu1 190 | :Menu3 191 | set Services=1 192 | call :Menu2 193 | :Menu4 194 | set Block=1 195 | call :Menu3 196 | :Menu5 197 | cls 198 | echo. 199 | call :MiniHelp 200 | goto :BEGIN 201 | :Menu6 202 | cls 203 | %msg% "Restore defaults..." "Восстановление по умолчанию..." 204 | %ifdef% Item set "args=apply %Item%" 205 | call :CheckTrusted||call :RestoreCurrentUser 206 | %sc% query wdFilter | find /i "RUNNING" >nul 2>&1 && %ifNdef% SAFEBOOT_OPTION call :Reboot2Safe 207 | call :CheckTrusted||(call :TrustedRun "%Script% %args%"&&exit) 208 | call :Restore 209 | call :Reboot2Normal 210 | exit 211 | 212 | :MAIN 213 | %ifNdef% BackUpDone %ifNdef% UserSettingDone ( 214 | cls 215 | %ifNdef% arg1 call :Warning 216 | %ifNdef% NoBackup (call :CheckTrusted||call :Backup) 217 | %ifdef% Policies (call :CheckTrusted||call :PoliciesHKCU) 218 | %ifdef% Registry (call :CheckTrusted||call :RegistryHKCU) 219 | ) 220 | cls 221 | %ifdef% Item set "args=apply %Item%" 222 | %ifNdef% NoBackup cls&call :CheckTrusted||(call :TrustedRun "%Script% %args%"&&exit&cls) 223 | %ifNdef% NoBackup %ifNdef% BackUpDone call :Backup 224 | call :BackUpDone 225 | call :CheckTrusted||(call :TrustedRun "%Script% %args%"&&exit&cls) 226 | %ifdef% Policies %ifNdef% PoliciesDone call :Policies 227 | %ifNdef% SAFEBOOT_OPTION call :SetMP 228 | %ifNdef% SAFEBOOT_OPTION "%ProgramFiles%\%wd%\MpCmdRun.exe" -RemoveDefinitions -All>nul 2>&1 229 | %ifNdef% SAFEBOOT_OPTION call :Reboot2Safe 230 | cls&call :CheckTrusted||(call :TrustedRun "%Script% %args%"&&exit&cls) 231 | %ifdef% Registry call :Registry 232 | %ifdef% Services call :Services 233 | %ifdef% Block call :Block 234 | call :Reboot2Normal 235 | ::############################################################################# 236 | :2LangMsg 237 | %ifdef% Lang (echo %~2) else (echo %~1) 238 | exit /b 239 | :2LangErr 240 | (%ifdef% Lang (echo %~2) else (echo %~1))&pause>nul 2>&1&exit 241 | 242 | :2LangErrNoPause 243 | (%ifdef% Lang (echo %~2) else (echo %~1))&exit /b 1 244 | 245 | :CheckTrusted 246 | %whoami% /GROUPS|find "TrustedInstaller">nul 2>&1&&exit /b 0||exit /b 1 247 | 248 | :Warning 249 | cls 250 | echo. 251 | if exist "%save%MySecurityDefaults.reg" ( 252 | %msg% "MySecurityDefaults.reg is detected, the backup of the current settings will be skipped." "Обнаружен MySecurityDefaults.reg, будет пропущен бэкап текущих настроек." 253 | %msg% "Delete MySecurityDefaults.reg and restart the script if you want to create a new backup." "Удалите MySecurityDefaults.reg и перезапустите скрипт если хотите создать новый бэкап." 254 | echo. 255 | ) 256 | if exist "%save%MySecurityDefaults.reg" echo "%save%MySecurityDefaults.reg"&echo. 257 | %ifdef% Policies ( 258 | %msg% "Group policies will be applied to %dl% " "Будут применены групповые политики для отключения " 259 | %msg% "%wd%, %ss%, Kernel Isolation, SmartAppControl etc." "Защитника Windows, %ss%, Изоляции ядра, Интелектуального управления приложениями" 260 | if exist "%sysdir%\MRT.exe" %msg% "%dl% updating and reporting for Malicious Software Removal Tool." "Отключено обновление и отчеты средства удаления вредоносных программ." 261 | echo. 262 | ) 263 | %ifdef% Registry ( 264 | %msg% "Registry settings will be applied to %dl%" "Будут применены настройки реестра для отключения" 265 | %msg% "tasks in the scheduler, warnings for downloaded files, file explorer extensions" "задач в планировщике, предупреждения для скачанных файлов, расширения проводника" 266 | echo. 267 | ) 268 | %ifdef% Services %msg% "The launch of %df%er services and drivers will be %dl%d." "Будет отключен запуск служб и драйверов защитника."&echo. 269 | %ifdef% Block %msg% "The launch of %df%er executable files will be blocked." "Будет заблокирован запуск исполняемых файлов защитника."&echo. 270 | %ifNdef% SAFEBOOT_OPTION %msg% "The computer will be restarted twice, to safe mode and back." "Компьютер будет перезагружен дважды, в безопасный режим и обратно." 271 | %ifdef% SAFEBOOT_OPTION %msg% "The computer will be restarted." "Компьютер будет перезагружен." 272 | echo. 273 | %ifNdef% Lang (choice /m "You really want to %dl% Windows defences" /c "yn") else (choice /m "Вы действительно хотите отключить защиты Windows?" /c "дн") 274 | if [%errorlevel%]==[2] goto :BEGIN 275 | cls 276 | exit /b 277 | 278 | :Reboot2Safe 279 | set "only=%~1" 280 | %reg% copy "HKLM%scc%\SafeBoot\Minimal\Win%df%" "HKLM%scc%\SafeBoot\Minimal\Win%df%_off" /s /f>nul 2>&1 281 | %rd% "HKLM%scc%\SafeBoot\Minimal\Win%df%" /f>nul 2>&1 282 | set "BootArgs=%args%" 283 | %ifdef% Item set "BootArgs=apply %Item%" 284 | %tk% /im mmc.exe /t /f>nul 2>&1 285 | %sc% delete %AS%Service>nul 2>&1 286 | %sc% create %AS%Service type= own start= auto error= ignore obj= "LocalSystem" binPath= "cmd.exe /c start \"\" \"%pth%%AS%Boot.cmd\"">nul 2>&1 287 | set "EventLog=" 288 | for /f "tokens=2*" %%a in ('%rq% "HKLM%scc%\WMI\Autologger\EventLog-System\{555908d1-a6d7-4695-8e1e-26931d2012f4}" /v "Enabled" 2^>nul') do set "EventLog=%%b" 289 | if [%EventLog%]==[0x1] %ra% "HKLM%scc%\WMI\Autologger\EventLog-System\{555908d1-a6d7-4695-8e1e-26931d2012f4}" /v Enabled /t %dw% /d 0 /f>nul 2>&1 290 | %ra% "HKLM%scc%\SafeBoot\Minimal\%AS%Service" /ve /t REG_SZ /d "Service" /f>nul 2>&1 291 | %ifNdef% only %ra% "HKLM%smw%\%cv%\RunOnce" /v "*Wait" /t %sz% /d "cmd.exe /k title WAIT&echo WAIT...&if exist \"%pth%%AS%Boot.cmd\" (call \"%pth%%AS%Boot.cmd\"&exit)" /f >nul 2>&1 292 | %ifNdef% only %ra% %ASR% /v "Save" /t %sz% /d "%save%\" /f >nul 2>&1 293 | call :SafeBoot %only% 294 | %msg% "The computer will now reboot into safe mode." "Компьютер сейчас перезагрузиться в безопасный режим." 295 | %shutdown% /r /f /t 3 /c "Reboot Safe Mode" 296 | %timeout% /t 4 297 | exit 298 | 299 | :SafeBoot 300 | set "only=%~1" 301 | del /f /q "%pth%%AS%Boot.cmd">nul 2>&1 302 | set win%df%= 303 | (%rq% "HKLM%scc%\SafeBoot\Minimal\Win%df%">nul 2>&1) %then% (set win%df%=1) 304 | set boottimeout=30 305 | set displaybootmenu= 306 | for /f "tokens=2" %%t in ('%bcdedit% /enum {bootmgr} ^| find "timeout"') do set "boottimeout=%%t" 307 | for /f "tokens=2" %%t in ('%bcdedit% /enum {bootmgr} ^| find "displaybootmenu"') do set "displaybootmenu=%%t" 308 | for /f "tokens=2" %%t in ('%bcdedit% /v ^| find "default"') do set "default=%%t" 309 | for /f "tokens=2 delims={}" %%a in ('%bcdedit% /copy {current} /d "Safe Mode" ^| find "{"') do set guid=%%a 310 | %bcdedit% /timeout "2" >nul 2>&1 311 | %bcdedit% /set {bootmgr} displaybootmenu Yes>nul 2>&1 312 | %bcdedit% /set {%guid%} safeboot minimal>nul 2>&1 313 | %bcdedit% /set {%guid%} bootmenupolicy Legacy>nul 2>&1 314 | %bcdedit% /set {%guid%} hypervisorlaunchtype off>nul 2>&1 315 | %bcdedit% /default {%guid%}>nul 2>&1 316 | echo chcp 65001>"%pth%%AS%Boot.cmd" 317 | echo bcdedit /timeout "%boottimeout%" >>"%pth%%AS%Boot.cmd" 318 | %ifdef% displaybootmenu echo bcdedit /set {bootmgr} displaybootmenu %displaybootmenu% >>"%pth%%AS%Boot.cmd" 319 | %ifNdef% displaybootmenu echo bcdedit /deletevalue {bootmgr} displaybootmenu >>"%pth%%AS%Boot.cmd" 320 | %ifdef% default echo bcdedit /default %default% >>"%pth%%AS%Boot.cmd" 321 | echo bcdedit /delete {%guid%}>>"%pth%%AS%Boot.cmd" 322 | echo reg delete "HKLM%scs%\%AS%Service" /f>>"%pth%%AS%Boot.cmd" 323 | echo reg delete "HKLM%scc%\SafeBoot\Minimal\%AS%Service" /f>>"%pth%%AS%Boot.cmd" 324 | %ifdef% win%df% ( 325 | %reg% copy "HKLM%scc%\SafeBoot\Minimal\Win%df%" "HKLM%scc%\SafeBoot\Minimal\Win%df%_off" /s /f>nul 2>&1 326 | %rd% "HKLM%scc%\SafeBoot\MinimalMinimal\Win%df%" /f>nul 2>&1 327 | echo reg copy "HKLM%scc%\SafeBoot\Minimal\Win%df%_off" "HKLM%scc%\SafeBoot\Minimal\Win%df%" /s /f>>"%pth%%AS%Boot.cmd" 328 | echo reg delete "HKLM%scc%\SafeBoot\Minimal\Win%df%_off" /f>>"%pth%%AS%Boot.cmd" 329 | ) 330 | if [%EventLog%]==[0x1] echo reg add "HKLM%scc%\WMI\Autologger\EventLog-System\{555908d1-a6d7-4695-8e1e-26931d2012f4}" /v Enabled /t %dw% /d 1 /f >>"%pth%%AS%Boot.cmd" 331 | %ifNdef% only echo if defined SAFEBOOT_OPTION start ^"^" ^"%Script%^" %BootArgs% >>"%pth%%AS%Boot.cmd" 332 | echo del /f /q ^"%pth%%AS%Boot.cmd^" >>"%pth%%AS%Boot.cmd" 333 | exit /b 334 | 335 | :Reboot2Normal 336 | %msg% "The computer will now reboot into default mode." "Компьютер сейчас перезагрузиться в обычный режим." 337 | %rd% "HKLM%smw%\%cv%\RunOnce" /v "*Wait" /f >nul 2>&1 338 | %rd% %ASR% /f >nul 2>&1 339 | %ifdef% SAFEBOOT_OPTION %shutdown% /r /f /t 0 340 | %ifNdef% SAFEBOOT_OPTION %shutdown% /r /f /t 3 /c "Reboot" 341 | %timeout% /t 4 342 | exit 343 | 344 | :TrustedRun 345 | %msg% "Getting Trusted Installer privileges..." "Получение привилегий Trusted Installer..." 346 | %sc% config "TrustedInstaller" start= demand>nul 2>&1 347 | %sc% start "TrustedInstaller">nul 2>&1 348 | del /f /q "%pth%%AS%TI.ps1">nul 2>&1 349 | set "RunAsTrustedInstaller=%~1" 350 | %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "$null|Out-File -FilePath '%pth%%AS%TI.ps1' -Encoding UTF8">nul 2>&1 351 | echo $AppFullPath=[System.Environment]::GetEnvironmentVariable('RunAsTrustedInstaller')>>"%pth%%AS%TI.ps1" 352 | echo [string]$GetTokenAPI=@'>>"%pth%%AS%TI.ps1" 353 | echo using System;using System.ServiceProcess;using System.Diagnostics;using System.Runtime.InteropServices;using System.Security.Principal;namespace WinAPI{internal static class WinBase{[StructLayout(LayoutKind.Sequential)]internal struct SECURITY_ATTRIBUTES{public int nLength;public IntPtr lpSecurityDeScriptor;public bool bInheritHandle;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]internal struct STARTUPINFO{public Int32 cb;public string lpReserved;public string lpDesktop;public string lpTitle;public uint dwX;public uint dwY;public uint dwXSize;public uint dwYSize;public uint dwXCountChars;public uint dwYCountChars;public uint dwFillAttribute;public uint dwFlags;public Int16 wShowWindow;public Int16 cbReserved2;public IntPtr lpReserved2;public IntPtr hStdInput;public IntPtr hStdOutput;public IntPtr hStdError;}[StructLayout(LayoutKind.Sequential)]internal struct PROCESS_INFORMATION{public IntPtr hProcess;public IntPtr hThread;public uint dwProcessId;public uint dwThreadId;}}internal static class WinNT{public enum TOKEN_TYPE{TokenPrimary=1,TokenImpersonation}public enum SECURITY_IMPERSONATION_LEVEL{SecurityAnonymous,SecurityIdentification,SecurityImpersonation,SecurityDelegation}[StructLayout(LayoutKind.Sequential,Pack=1)]internal struct TokPriv1Luid{public uint PrivilegeCount;public long Luid;public UInt32 Attributes;}}internal static class Advapi32{public const int SE_PRIVILEGE_ENABLED=0x00000002;public const uint CREATE_NO_WINDOW=0x08000000;public const uint CREATE_NEW_CONSOLE=0x00000010;public const uint CREATE_UNICODE_ENVIRONMENT=0x00000400;public const UInt32 STANDARD_RIGHTS_REQUIRED=0x000F0000;public const UInt32 STANDARD_RIGHTS_READ=0x00020000;public const UInt32 TOKEN_ASSIGN_PRIMARY=0x0001;public const UInt32 TOKEN_DUPLICATE=0x0002;public const UInt32 TOKEN_IMPERSONATE=0x0004;public const UInt32 TOKEN_QUERY=0x0008;public const UInt32 TOKEN_QUERY_SOURCE=0x0010;public const UInt32 TOKEN_ADJUST_PRIVILEGES=0x0020;public const UInt32 TOKEN_ADJUST_GROUPS=0x0040;public const UInt32 TOKEN_ADJUST_DEFAULT=0x0080;public const UInt32 TOKEN_ADJUST_SESSIONID=0x0100;public const UInt32 TOKEN_READ=(STANDARD_RIGHTS_READ^|TOKEN_QUERY);public const UInt32 TOKEN_ALL_ACCESS=(STANDARD_RIGHTS_REQUIRED^|TOKEN_ASSIGN_PRIMARY^|TOKEN_DUPLICATE^|TOKEN_IMPERSONATE^|TOKEN_QUERY^|TOKEN_QUERY_SOURCE^|TOKEN_ADJUST_PRIVILEGES^|TOKEN_ADJUST_GROUPS^|TOKEN_ADJUST_DEFAULT^|TOKEN_ADJUST_SESSIONID);[DllImport("advapi32.dll",SetLastError=true)][return:MarshalAs(UnmanagedType.Bool)]public static extern bool OpenProcessToken(IntPtr ProcessHandle,UInt32 DesiredAccess,out IntPtr TokenHandle);[DllImport("advapi32.dll",SetLastError=true,CharSet=CharSet.Auto)]public extern static bool DuplicateTokenEx(IntPtr hExistingToken,uint dwDesiredAccess,IntPtr lpTokenAttributes,WinNT.SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,WinNT.TOKEN_TYPE TokenType,out IntPtr phNewToken);[DllImport("advapi32.dll",SetLastError=true,CharSet=CharSet.Auto)]internal static extern bool LookupPrivilegeValue(string lpSystemName,string lpName,ref long lpLuid);[DllImport("advapi32.dll",SetLastError=true)]internal static extern bool AdjustTokenPrivileges(IntPtr TokenHandle,bool %dl%AllPrivileges,ref WinNT.TokPriv1Luid NewState,UInt32 Zero,IntPtr Null1,IntPtr Null2);[DllImport("advapi32.dll",SetLastError=true,CharSet=CharSet.Unicode)]public static extern bool CreateProcessAsUserW(IntPtr hToken,string lpApplicationName,string lpCommandLine,IntPtr lpProcessAttributes,IntPtr lpThreadAttributes,bool bInheritHandles,uint dwCreationFlags,IntPtr lpEnvironment,string lpCurrentDirectory,ref WinBase.STARTUPINFO lpStartupInfo,out WinBase.PROCESS_INFORMATION lpProcessInformation);[DllImport("advapi32.dll",SetLastError=true)]public static extern bool SetTokenInformation(IntPtr TokenHandle,uint TokenInformationClass,ref IntPtr TokenInformation,int TokenInformationLength);[DllImport("advapi32.dll",SetLastError=true,CharSet=CharSet.Auto)]public static extern bool RevertToSelf();}internal static class Kernel32{[Flags]public enum ProcessAccessFlags:uint{All=0x001F0FFF}[DllImport("kernel32.dll",SetLastError=true)]>>"%pth%%AS%TI.ps1" 354 | echo public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess,bool bInheritHandle,int processId);[DllImport("kernel32.dll",SetLastError=true)]public static extern bool CloseHandle(IntPtr hObject);}internal static class Userenv{[DllImport("userenv.dll",SetLastError=true)]public static extern bool CreateEnvironmentBlock(ref IntPtr lpEnvironment,IntPtr hToken,bool bInherit);}public static class ProcessConfig{public static IntPtr DuplicateTokenSYS(IntPtr hTokenSys){IntPtr hProcess=IntPtr.Zero,hToken=IntPtr.Zero,hTokenDup=IntPtr.Zero;int pid=0;string name;bool bSuccess,impersonate=false;try{if(hTokenSys==IntPtr.Zero){bSuccess=RevertToRealSelf();name=System.Text.Encoding.UTF8.GetString(new byte[]{87,73,78,76,79,71,79,78});}else{name=System.Text.Encoding.UTF8.GetString(new byte[]{84,82,85,83,84,69,68,73,78,83,84,65,76,76,69,82});ServiceController controlTI=new ServiceController(name);if(controlTI.Status==ServiceControllerStatus.Stopped){controlTI.Start();System.Threading.Thread.Sleep(5);controlTI.Close();}impersonate=ImpersonateWithToken(hTokenSys);if(!impersonate){return IntPtr.Zero;}}IntPtr curSessionId=new IntPtr(Process.GetCurrentProcess().SessionId);Process process=Array.Find(Process.GetProcessesByName(name),p=^>p.Id^>0);if(process!=null){pid=process.Id;}else{return IntPtr.Zero;}hProcess=Kernel32.OpenProcess(Kernel32.ProcessAccessFlags.All,true,pid);uint DesiredAccess=Advapi32.TOKEN_QUERY^|Advapi32.TOKEN_DUPLICATE^|Advapi32.TOKEN_ASSIGN_PRIMARY;bSuccess=Advapi32.OpenProcessToken(hProcess,DesiredAccess,out hToken);if(!bSuccess){return IntPtr.Zero;}DesiredAccess=Advapi32.TOKEN_ALL_ACCESS;bSuccess=Advapi32.DuplicateTokenEx(hToken,DesiredAccess,IntPtr.Zero,WinNT.SECURITY_IMPERSONATION_LEVEL.SecurityDelegation,WinNT.TOKEN_TYPE.TokenPrimary,out hTokenDup);if(!bSuccess){bSuccess=Advapi32.DuplicateTokenEx(hToken,DesiredAccess,IntPtr.Zero,WinNT.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,WinNT.TOKEN_TYPE.TokenPrimary,out hTokenDup);}if(bSuccess){bSuccess=EnableAllPrivilages(hTokenDup);}if(!impersonate){hTokenSys=hTokenDup;impersonate=ImpersonateWithToken(hTokenSys);}if(impersonate){bSuccess=Advapi32.SetTokenInformation(hTokenDup,12,ref curSessionId,4);}}catch(Exception){}finally{if(hProcess!=IntPtr.Zero){Kernel32.CloseHandle(hProcess);}if(hToken!=IntPtr.Zero){Kernel32.CloseHandle(hToken);}bSuccess=RevertToRealSelf();}if(hTokenDup!=IntPtr.Zero){return hTokenDup;}else{return IntPtr.Zero;}}public static bool RevertToRealSelf(){try{Advapi32.RevertToSelf();WindowsImpersonationContext currentImpersonate=WindowsIdentity.GetCurrent().Impersonate();currentImpersonate.Undo();currentImpersonate.Dispose();}catch(Exception){return false;}return true;}public static bool ImpersonateWithToken(IntPtr hTokenSys){try{WindowsImpersonationContext ImpersonateSys=new WindowsIdentity(hTokenSys).Impersonate();}catch(Exception){return false;}return true;}private enum PrivilegeNames{SeAssignPrimaryTokenPrivilege,SeBackupPrivilege,SeIncreaseQuotaPrivilege,SeLoadDriverPrivilege,SeManageVolumePrivilege,SeRestorePrivilege,SeSecurityPrivilege,SeShutdownPrivilege,SeSystemEnvironmentPrivilege,SeSystemTimePrivilege,SeTakeOwnershipPrivilege,SeTrustedCredmanAccessPrivilege,SeUndockPrivilege};private static bool EnableAllPrivilages(IntPtr hTokenSys){WinNT.TokPriv1Luid tp;tp.PrivilegeCount=1;tp.Luid=0;tp.Attributes=Advapi32.SE_PRIVILEGE_ENABLED;bool bSuccess=false;try{foreach(string privilege in Enum.GetNames(typeof(PrivilegeNames))){bSuccess=Advapi32.LookupPrivilegeValue(null,privilege,ref tp.Luid);bSuccess=Advapi32.AdjustTokenPrivileges(hTokenSys,false,ref tp,0,IntPtr.Zero,IntPtr.Zero);}}catch(Exception){return false;}return bSuccess;}public static StructOut CreateProcessWithTokenSys(IntPtr hTokenSys,string AppPath){uint exitCode=0;bool bSuccess;bool bInherit=false;string stdOutString="";IntPtr hReadOut=IntPtr.Zero,hWriteOut=IntPtr.Zero;const uint HANDLE_FLAG_INHERIT=0x00000001;const uint STARTF_USESTDHANDLES=0x00000100;const UInt32 INFINITE=0xFFFFFFFF;IntPtr NewEnvironment=IntPtr.Zero;bSuccess=Userenv.CreateEnvironmentBlock(ref NewEnvironment,hTokenSys,true);uint CreationFlags=Advapi32.CREATE_UNICODE_ENVIRONMENT^|Advapi32.CREATE_NEW_CONSOLE;WinBase.PROCESS_INFORMATION pi=new WinBase.PROCESS_INFORMATION();WinBase.STARTUPINFO si=new WinBase.STARTUPINFO();si.cb=Marshal.SizeOf(si);si.lpDesktop="winsta0\\default";try{bSuccess=ImpersonateWithToken(hTokenSys);bSuccess=Advapi32.CreateProcessAsUserW(hTokenSys,null,AppPath,IntPtr.Zero,IntPtr.Zero,bInherit,(uint)CreationFlags,NewEnvironment,null,ref si,out pi);if(!bSuccess){exitCode=1;}}catch(Exception){}finally{if(pi.hProcess!=IntPtr.Zero){Kernel32.CloseHandle(pi.hProcess);}if(pi.hThread!=IntPtr.Zero){Kernel32.CloseHandle(pi.hThread);}bSuccess=RevertToRealSelf();}StructOut so=new StructOut();so.ProcessId=pi.dwProcessId;so.ExitCode=exitCode;so.StdOut=stdOutString;return so;}[StructLayout(LayoutKind.Sequential,CharSet=CharSet.Unicode)]public struct StructOut{public uint ProcessId;public uint ExitCode;public string StdOut;}}}>>"%pth%%AS%TI.ps1" 355 | echo '@>>"%pth%%AS%TI.ps1" 356 | echo if (-not ('WinAPI.ProcessConfig' -as [type] )){$cp=[System.CodeDom.Compiler.CompilerParameters]::new(@('System.dll','System.ServiceProcess.dll'))>>"%pth%%AS%TI.ps1" 357 | echo $cp.TempFiles=[System.CodeDom.Compiler.TempFileCollection]::new($DismScratchDirGlobal,$false)>>"%pth%%AS%TI.ps1" 358 | echo $cp.GenerateInMemory=$true>>"%pth%%AS%TI.ps1" 359 | echo $cp.CompilerOptions='/platform:anycpu /nologo'>>"%pth%%AS%TI.ps1" 360 | echo Add-Type -TypeDefinition $GetTokenAPI -Language CSharp -ErrorAction Stop -CompilerParameters $cp}>>"%pth%%AS%TI.ps1" 361 | echo $Global:Token_SYS=[WinAPI.ProcessConfig]::DuplicateTokenSYS([System.IntPtr]::Zero)>>"%pth%%AS%TI.ps1" 362 | echo if ($Global:Token_SYS -eq [IntPtr]::Zero ){$Exit=$true; Return}>>"%pth%%AS%TI.ps1" 363 | echo $Global:Token_TI=[WinAPI.ProcessConfig]::DuplicateTokenSYS($Global:Token_SYS)>>"%pth%%AS%TI.ps1" 364 | echo if ($Global:Token_TI -eq [IntPtr]::Zero ){$Exit=$true; Return}>>"%pth%%AS%TI.ps1" 365 | echo [WinAPI.ProcessConfig+StructOut] $StructOut=New-Object -TypeName WinAPI.ProcessConfig+StructOut>>"%pth%%AS%TI.ps1" 366 | echo $StructOut=[WinAPI.ProcessConfig]::CreateProcessWithTokenSys($Global:Token_TI, $AppFullPath)>>"%pth%%AS%TI.ps1" 367 | echo return $StructOut.ExitCode>>"%pth%%AS%TI.ps1" 368 | %powershell% -MTA -NoP -NoL -NonI -EP Bypass -f "%pth%%AS%TI.ps1" 369 | set "trusted=%errorlevel%">nul 2>&1 370 | del /f /q "%pth%%AS%TI.ps1">nul 2>&1 371 | exit /b %trusted% 372 | 373 | :Backup 374 | if exist "%save%MySecurityDefaults.reg" goto :EndBackup 375 | call :CheckTrusted&&goto :TrustedBackup 376 | %ifdef% UserSettingDone goto :EndBackup 377 | %msg% "Creating a recovery point if recovery is enabled..." "Создание точки восстановления, если восстановление включено..." 378 | %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "Checkpoint-Computer -DeScription '%AS% Script Backup %date% %time%' -RestorePointType 'MODIFY_SETTINGS' -ErrorAction SilentlyContinue"&&echo OK||%msg% "Skip" "Пропуск" 379 | call :RegSave 380 | %msg% "Backup security settings from the HKCU registry key..." "Бэкап настроек безопасности из раздела реестра HKCU..." 381 | call :HKCU_List 382 | call :BackupReg "hkcu.list" "hkcu.txt" 383 | del /f/q "%pth%hkcu.list">nul 2>&1 384 | goto :EndBackup 385 | :TrustedBackup 386 | call :RegSave 387 | %msg% "Backup settings from the HKLM registry key..." "Бэкап настроек из раздела реестра HKLM..." 388 | call :HKLM_List 389 | call :BackupReg "hklm.list" "hklm.txt" 390 | del /f/q "%pth%hklm.list">nul 2>&1 391 | if exist "%pth%hkcu.txt" copy /b "%pth%hkcu.txt"+"%pth%hklm.txt" "%save%MySecurityDefaults.reg">nul 2>&1 392 | if not exist "%pth%hkcu.txt" move /y "%pth%hklm.txt" "%save%MySecurityDefaults.reg">nul 2>&1 393 | del /f/q "%pth%hkcu.txt">nul 2>&1 394 | del /f/q "%pth%hklm.txt">nul 2>&1 395 | echo "%save%MySecurityDefaults.reg" 396 | :EndBackup 397 | exit /b 398 | 399 | :RegSave 400 | if exist "%regback%\SOFTWARE" if exist "%regback%\SOFTWARE" goto :SkipRegSave 401 | %msg% "Creating a complete copy of the registry in %regback%" "Создание полной копии реестра в %regback%" 402 | if not exist "%regback%" md "%regback%">nul 2>&1 403 | %msg% "Creating full copy of HKLM\SOFTWARE in %regback%" "Создание полной копии HKLM\SOFTWARE" 404 | %rs% HKLM\SOFTWARE "%regback%\SOFTWARE" /y>nul 2>&1 405 | %msg% "Creating full copy of HKLM\SYSTEM in %regback%" "Создание полной копии HKLM\SYSTEM" 406 | %rs% HKLM\SYSTEM "%regback%\SYSTEM" /y>nul 2>&1 407 | :SkipRegSave 408 | exit /b 409 | 410 | :BackupReg 411 | set out="%pth%%AS%Backup.ps1" 412 | del /f/q %out%>nul 2>&1 413 | %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "$null|Out-File -FilePath '%out%' -Encoding UTF8">nul 2>&1 414 | echo $I="%pth%%~1">>%out% 415 | echo $F="%pth%%~2">>%out% 416 | echo $O=New-Object System.Text.StringBuilder>>%out% 417 | echo if($F -ne "%pth%hklm.txt"){$O.AppendLine("Windows Registry Editor Version 5.00")^|Out-Null}>>%out% 418 | echo if($F -eq "%pth%hklm.txt"){if(![System.IO.File]::Exists("%pth%hkcu.txt")){$O.AppendLine("Windows Registry Editor Version 5.00")^|Out-Null}}>>%out% 419 | echo $O.AppendLine("")^|Out-Null>>%out% 420 | echo Get-Content -Path $I^|ForEach-Object{$l=$_.Trim()>>%out% 421 | echo if($l -eq ""){return}>>%out% 422 | echo $t=$l -split ",">>%out% 423 | echo $P=$t[0]>>%out% 424 | echo $K=if($t.Count -gt 1){$t[1]}else{""}>>%out% 425 | echo $S=$P -replace "HKCU:","HKEY_CURRENT_USER" -replace "HKLM:","HKEY_LOCAL_MACHINE">>%out% 426 | echo if(Test-Path -Path $P){$O.AppendLine("[$S]")^|Out-Null>>%out% 427 | echo if($K -eq ""){Get-ItemProperty -Path $P^|Select-Object -Property *^|ForEach-Object{>>%out% 428 | echo $_.PSObject.Properties^|Where-Object{$_.Name -notmatch '^^PS'}^|ForEach-Object{>>%out% 429 | echo if ($($_.Name) -eq "(default)"){$O.AppendLine("@=""$($_.Value)""")^|Out-Null}>>%out% 430 | echo else {$O.AppendLine("""$($_.Name)""=""$($_.Value)""")^|Out-Null}}}}>>%out% 431 | echo else{$C=(Get-ItemProperty -Path $P -ErrorAction SilentlyContinue).PSObject.Properties.Name>>%out% 432 | echo if($C -contains $K){$V=(Get-ItemProperty -Path $P -Name $K -ErrorAction SilentlyContinue).$K>>%out% 433 | echo $ln=$V.Length>>%out% 434 | echo if($ln -eq 0){if($K -eq "Start"){$O.AppendLine("""$K""=dword:$("{0:X8}" -f $V)")^|Out-Null}>>%out% 435 | echo else{$O.AppendLine("""$K""=""""")^|Out-Null}}>>%out% 436 | echo else{if($V -is [int]){$O.AppendLine("""$K""=dword:$("{0:X8}" -f $V)")^|Out-Null}>>%out% 437 | echo elseif ($V -is [byte[]]) {>>%out% 438 | echo $bin=($V ^| ForEach-Object {"{0:X2}" -f $_ }) -join ",">>%out% 439 | echo $O.AppendLine("""$K""=hex:$bin")^|Out-Null}>>%out% 440 | echo else{$O.AppendLine("""$K""=""$V""")^|Out-Null}}}>>%out% 441 | echo else{$O.AppendLine("""$K""=-")^|Out-Null}}>>%out% 442 | echo $O.AppendLine("")^|Out-Null}>>%out% 443 | echo else{if(-not $O.ToString().Contains("[-$S]")){$O.AppendLine("[-$S]")^|Out-Null>>%out% 444 | echo $O.AppendLine("")^|Out-Null}}}>>%out% 445 | echo $O.ToString()^|Set-Content -Path $F -Encoding Unicode>>%out% 446 | %powershell% -MTA -NoP -NoL -NonI -EP Bypass -f %out%>nul 2>&1 447 | del /f/q %out%>nul 2>&1 448 | exit /b 449 | 450 | :Screen 451 | cls 452 | echo ┌──────────────────────────────────────────┐ 453 | echo │ ┌─┐┌─┐┬ ┬┬┬ ┬ ┌─┐┌─┐┐ ┌─┐┌─┐┬─┐┬┌─┐┌┬┐ │ 454 | echo │ ├─┤│ ├─┤││ │ ├┤ └─┐ └─┐│ ├┬┘│├─┘ │  │ 455 | echo │ ┴ ┴└─┴┴ ┴┴┴─┘┴─┘└─┘└─┘ └─┘└─┘┴└─┴┴ ┴  │ 456 | echo └──────────────────────────────────────────┘ 457 | %ifNdef% Lang (echo  to disable Windows Defender and Security 458 | ) else ( 459 | echo  отключение Защитника Windows и Безопасности 460 | ) 461 | echo. 462 | echo %asv% 463 | echo. 464 | echo %WindowsVersion% build %WindowsBuild% 465 | echo. 466 | %msg% " [1] Group Policies" " [1] Групповые политики" 467 | %msg% " [2] Policies + Registry Settings" " [2] Политики + Настройки реестра" 468 | %msg% " [3] Policies + Settings + Disabling Services and drivers" " [3] Политики + Настройки + Отключение служб и драйверов" 469 | %msg% " [4] Policies + Settings + Disabling Services and drivers + Block launch executables" " [4] Политики + Настройки + Отключение служб и драйверов + Блокировка запуска" 470 | %msg% "─────────────────────────────────────────────────────────────────────────────────────" "─────────────────────────────────────────────────────────────────────────────" 471 | %msg% " [5] Help" " [5] Помощь" 472 | %msg% " [6] Restore Defaults" " [6] Восстановить по умолчанию" 473 | %msg% " [0] Exit" " [0] Выход" 474 | echo. 475 | exit /b 476 | 477 | :HKCU_List 478 | del /f/q "%pth%hkcu.list">nul 2>&1 479 | echo HKCU:%smw% Security Health\State,AppAndBrowser_Edge%ss%Off>"%pth%hkcu.list" 480 | echo HKCU:%smw% Security Health\State,AppAndBrowser_Pua%ss%Off>>"%pth%hkcu.list" 481 | echo HKCU:%smw% Security Health\State,AppAndBrowser_StoreApps%ss%Off>>"%pth%hkcu.list" 482 | echo HKCU:%smw%\%cv%\AppHost,EnableWebContentEvaluation>>"%pth%hkcu.list" 483 | echo HKCU:%smw%\%cv%\AppHost,PreventOverride>>"%pth%hkcu.list" 484 | echo HKCU:%smw%\%cv%\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance,Enabled>>"%pth%hkcu.list" 485 | echo HKCU:%smw%\%cv%\Policies\Attachments,SaveZoneInformation>>"%pth%hkcu.list" 486 | echo HKCU:%smw%\%cv%\Policies\Attachments,HideZoneInfoOnProperties>>"%pth%hkcu.list" 487 | echo HKCU:%smw%\%cv%\Policies\Attachments,ScanWithAntiVirus>>"%pth%hkcu.list" 488 | echo HKCU:%spm%\Edge,%ss%Enabled>>"%pth%hkcu.list" 489 | echo HKCU:%spm%\Edge,%ss%PuaEnabled>>"%pth%hkcu.list" 490 | echo HKLM:%scc%\SafeBoot\Minimal\Win%df%>>"%pth%hkcu.list" 491 | echo HKLM:%scc%\SafeBoot\Minimal\Win%df%_off>>"%pth%hkcu.list" 492 | call :ListUWP sechealth 493 | call :ListUWP chxapp 494 | exit /b 495 | 496 | :HKLM_List 497 | del /f/q "%pth%hklm.list">nul 2>&1 498 | echo HKLM:%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}>"%pth%hklm.list" 499 | echo HKLM:%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32>>"%pth%hklm.list" 500 | echo HKLM:%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\LocalServer32>>"%pth%hklm.list" 501 | echo HKLM:%scl%\exefile\shell\open,No%ss%>>"%pth%hklm.list" 502 | echo HKLM:%scl%\exefile\shell\runas,No%ss%>>"%pth%hklm.list" 503 | echo HKLM:%scl%\exefile\shell\runasuser,No%ss%>>"%pth%hklm.list" 504 | echo HKLM:%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}>>"%pth%hklm.list" 505 | echo HKLM:%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32>>"%pth%hklm.list" 506 | echo HKLM:%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\LocalServer32>>"%pth%hklm.list" 507 | echo HKLM:%scl%\TypeLib\{93EB5B57-E8B9-4576-8425-C0D3D6195B4F}>>"%pth%hklm.list" 508 | echo HKLM:%scl%\TypeLib\{93EB5B57-E8B9-4576-8425-C0D3D6195B4F}\1.0>>"%pth%hklm.list" 509 | echo HKLM:%scl%\TypeLib\{93EB5B57-E8B9-4576-8425-C0D3D6195B4F}\1.0\0>>"%pth%hklm.list" 510 | echo HKLM:%scl%\TypeLib\{93EB5B57-E8B9-4576-8425-C0D3D6195B4F}\1.0\0\win64>>"%pth%hklm.list" 511 | echo HKLM:%scl%\TypeLib\{93EB5B57-E8B9-4576-8425-C0D3D6195B4F}\1.0\FLAGS>>"%pth%hklm.list" 512 | echo HKLM:%scl%\TypeLib\{93EB5B57-E8B9-4576-8425-C0D3D6195B4F}\1.0\HELPDIR>>"%pth%hklm.list" 513 | echo HKLM:\SOFTWARE\Microsoft\RemovalTools\MpGears,HeartbeatTrackingIndex>>"%pth%hklm.list" 514 | echo HKLM:%smwd% Security Center\Device security,UILockdown>>"%pth%hklm.list" 515 | echo HKLM:%smwd% Security Center\Notifications,%dl%EnhancedNotifications>>"%pth%hklm.list" 516 | echo HKLM:%smwd% Security Center\Virus and threat protection,FilesBlockedNotification%dl%d>>"%pth%hklm.list" 517 | echo HKLM:%smwd% Security Center\Virus and threat protection,NoActionNotification%dl%d>>"%pth%hklm.list" 518 | echo HKLM:%smwd% Security Center\Virus and threat protection,SummaryNotification%dl%d>>"%pth%hklm.list" 519 | echo HKLM:%smwd%,%dl%AntiSpyware>>"%pth%hklm.list" 520 | echo HKLM:%smwd%,%dl%AntiVirus>>"%pth%hklm.list" 521 | echo HKLM:%smwd%,HybridModeEnabled>>"%pth%hklm.list" 522 | echo HKLM:%smwd%,IsServiceRunning>>"%pth%hklm.list" 523 | echo HKLM:%smwd%,ProductStatus>>"%pth%hklm.list" 524 | echo HKLM:%smwd%,ProductType>>"%pth%hklm.list" 525 | echo HKLM:%smwd%,PUAProtection>>"%pth%hklm.list" 526 | echo HKLM:%smwd%,SmartLockerMode>>"%pth%hklm.list" 527 | echo HKLM:%smwd%,VerifiedAndReputableTrustModeEnabled>>"%pth%hklm.list" 528 | echo HKLM:%smwd%\CoreService,%dl%CoreService1DSTelemetry>>"%pth%hklm.list" 529 | echo HKLM:%smwd%\CoreService,%dl%CoreServiceECSIntegration>>"%pth%hklm.list" 530 | echo HKLM:%smwd%\CoreService,Md%dl%ResController>>"%pth%hklm.list" 531 | echo HKLM:%smwd%\Features,EnableCACS>>"%pth%hklm.list" 532 | echo HKLM:%smwd%\Features,Protection>>"%pth%hklm.list" 533 | echo HKLM:%smwd%\Features,TamperProtection>>"%pth%hklm.list" 534 | echo HKLM:%smwd%\Features,TamperProtectionSource>>"%pth%hklm.list" 535 | echo HKLM:%smwd%\Features\EcsConfigs,EnableAdsSymlinkMitigation_MpRamp>>"%pth%hklm.list" 536 | echo HKLM:%smwd%\Features\EcsConfigs,EnableBmProcessInfoMetastoreMaintenance_MpRamp>>"%pth%hklm.list" 537 | echo HKLM:%smwd%\Features\EcsConfigs,EnableCIWorkaroundOnCFAEnabled_MpRamp>>"%pth%hklm.list" 538 | echo HKLM:%smwd%\Features\EcsConfigs,Md%dl%ResController>>"%pth%hklm.list" 539 | echo HKLM:%smwd%\Features\EcsConfigs,Mp%dl%PropBagNotification>>"%pth%hklm.list" 540 | echo HKLM:%smwd%\Features\EcsConfigs,Mp%dl%ResourceMonitoring>>"%pth%hklm.list" 541 | echo HKLM:%smwd%\Features\EcsConfigs,MpEnableNoMetaStoreProcessInfoContainer>>"%pth%hklm.list" 542 | echo HKLM:%smwd%\Features\EcsConfigs,MpEnablePurgeHipsCache>>"%pth%hklm.list" 543 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_AdvertiseLogonMinutesFeature>>"%pth%hklm.list" 544 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_EnableCommonMetricsEvents>>"%pth%hklm.list" 545 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_EnableImpersonationOnNetworkResourceScan>>"%pth%hklm.list" 546 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_EnablePersistedScanV2>>"%pth%hklm.list" 547 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_Kernel_EnableFolderGuardOnPostCreate>>"%pth%hklm.list" 548 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_Kernel_SystemIoRequestWorkOnBehalfOf>>"%pth%hklm.list" 549 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_Md%dl%1ds>>"%pth%hklm.list" 550 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_MdEnableCoreService>>"%pth%hklm.list" 551 | echo HKLM:%smwd%\Features\EcsConfigs,MpFC_RtpEnable%df%erConfigMonitoring>>"%pth%hklm.list" 552 | echo HKLM:%smwd%\Features\EcsConfigs,MpForceDllHostScanExeOnOpen>>"%pth%hklm.list" 553 | echo HKLM:%smwd%\Real-Time Protection,%dl%AsyncScanOnOpen>>"%pth%hklm.list" 554 | echo HKLM:%smwd%\Real-Time Protection,%dl%RealtimeMonitoring>>"%pth%hklm.list" 555 | echo HKLM:%smwd%\Real-Time Protection,Dpa%dl%d>>"%pth%hklm.list" 556 | echo HKLM:%smwd%\Scan,AvgCPULoadFactor>>"%pth%hklm.list" 557 | echo HKLM:%smwd%\Scan,%dl%ArchiveScanning>>"%pth%hklm.list" 558 | echo HKLM:%smwd%\Scan,%dl%EmailScanning>>"%pth%hklm.list" 559 | echo HKLM:%smwd%\Scan,%dl%RemovableDriveScanning>>"%pth%hklm.list" 560 | echo HKLM:%smwd%\Scan,%dl%ScanningMappedNetworkDrivesForFullScan>>"%pth%hklm.list" 561 | echo HKLM:%smwd%\Scan,%dl%ScanningNetworkFiles>>"%pth%hklm.list" 562 | echo HKLM:%smwd%\Scan,LowCpuPriority>>"%pth%hklm.list" 563 | echo HKLM:%smwd%\Spynet,MAPSconcurrency>>"%pth%hklm.list" 564 | echo HKLM:%smwd%\Spynet,SpyNetReporting>>"%pth%hklm.list" 565 | echo HKLM:%smwd%\Spynet,SpyNetReportingLocation>>"%pth%hklm.list" 566 | echo HKLM:%smwd%\Spynet,SubmitSamplesConsent>>"%pth%hklm.list" 567 | echo HKLM:%smwd%\Threats\ThreatIDDefaultAction>>"%pth%hklm.list" 568 | echo HKLM:%smwd%\Threats\ThreatSeverityDefaultAction>>"%pth%hklm.list" 569 | echo HKLM:%smwd%\Threats\ThreatTypeDefaultAction>>"%pth%hklm.list" 570 | echo HKLM:%smwd%\%wd% Exploit Guard\ASR,EnableASRConsumers>>"%pth%hklm.list" 571 | echo HKLM:%smwd%\%wd% Exploit Guard\ASR\Rules>>"%pth%hklm.list" 572 | echo HKLM:%smwd%\%wd% Exploit Guard\Controlled Folder Access,EnableControlledFolderAccess>>"%pth%hklm.list" 573 | echo HKLM:%smwd%\%wd% Exploit Guard\Network Protection,EnableNetworkProtection>>"%pth%hklm.list" 574 | echo HKLM:%smwci%\ConfigSecurityPolicy.exe>>"%pth%hklm.list" 575 | echo HKLM:%smwci%\DlpUserAgent.exe>>"%pth%hklm.list" 576 | echo HKLM:%smwci%\%df%erbootstrapper.exe>>"%pth%hklm.list" 577 | echo HKLM:%smwci%\mpam-d.exe>>"%pth%hklm.list" 578 | echo HKLM:%smwci%\mpam-fe.exe>>"%pth%hklm.list" 579 | echo HKLM:%smwci%\mpam-fe_bd.exe>>"%pth%hklm.list" 580 | echo HKLM:%smwci%\mpas-d.exe>>"%pth%hklm.list" 581 | echo HKLM:%smwci%\mpas-fe.exe>>"%pth%hklm.list" 582 | echo HKLM:%smwci%\mpas-fe_bd.exe>>"%pth%hklm.list" 583 | echo HKLM:%smwci%\mpav-d.exe>>"%pth%hklm.list" 584 | echo HKLM:%smwci%\mpav-fe.exe>>"%pth%hklm.list" 585 | echo HKLM:%smwci%\mpav-fe_bd.exe>>"%pth%hklm.list" 586 | echo HKLM:%smwci%\MpCmdRun.exe>>"%pth%hklm.list" 587 | echo HKLM:%smwci%\MpCopyAccelerator.exe>>"%pth%hklm.list" 588 | echo HKLM:%smwci%\Mp%df%erCoreService.exe>>"%pth%hklm.list" 589 | echo HKLM:%smwci%\MpDlpCmd.exe>>"%pth%hklm.list" 590 | echo HKLM:%smwci%\MpDlpService.exe>>"%pth%hklm.list" 591 | echo HKLM:%smwci%\mpextms.exe>>"%pth%hklm.list" 592 | echo HKLM:%smwci%\MpSigStub.exe>>"%pth%hklm.list" 593 | echo HKLM:%smwci%\MRT.exe>>"%pth%hklm.list" 594 | echo HKLM:%smwci%\MsMpEng.exe>>"%pth%hklm.list" 595 | echo HKLM:%smwci%\MsSense.exe>>"%pth%hklm.list" 596 | echo HKLM:%smwci%\NisSrv.exe>>"%pth%hklm.list" 597 | echo HKLM:%smwci%\OfflineScannerShell.exe>>"%pth%hklm.list" 598 | echo HKLM:%smwci%\secinit.exe>>"%pth%hklm.list" 599 | echo HKLM:%smwci%\SecureKernel.exe>>"%pth%hklm.list" 600 | echo HKLM:%smwci%\SecurityHealthHost.exe>>"%pth%hklm.list" 601 | echo HKLM:%smwci%\SecurityHealthService.exe>>"%pth%hklm.list" 602 | echo HKLM:%smwci%\SecurityHealthSystray.exe>>"%pth%hklm.list" 603 | echo HKLM:%smwci%\SenseAP.exe>>"%pth%hklm.list" 604 | echo HKLM:%smwci%\SenseAPToast.exe>>"%pth%hklm.list" 605 | echo HKLM:%smwci%\SenseCM.exe>>"%pth%hklm.list" 606 | echo HKLM:%smwci%\SenseGPParser.exe>>"%pth%hklm.list" 607 | echo HKLM:%smwci%\SenseIdentity.exe>>"%pth%hklm.list" 608 | echo HKLM:%smwci%\SenseImdsCollector.exe>>"%pth%hklm.list" 609 | echo HKLM:%smwci%\SenseIR.exe>>"%pth%hklm.list" 610 | echo HKLM:%smwci%\SenseNdr.exe>>"%pth%hklm.list" 611 | echo HKLM:%smwci%\SenseSampleUploader.exe>>"%pth%hklm.list" 612 | echo HKLM:%smwci%\SenseTVM.exe>>"%pth%hklm.list" 613 | echo HKLM:%smwci%\SgrmBroker.exe>>"%pth%hklm.list" 614 | echo HKLM:%smwci%\%ss%.exe>>"%pth%hklm.list" 615 | echo HKLM:%smwci%\LSASS.exe>>"%pth%hklm.list" 616 | echo HKLM:%smw% NT\%cv%\Svchost,WebThreatDefense>>"%pth%hklm.list" 617 | echo HKLM:%smw%\%cv%\AppHost,EnableWebContentEvaluation>>"%pth%hklm.list" 618 | echo HKLM:%smw%\%cv%\Explorer,AicEnabled>>"%pth%hklm.list" 619 | echo HKLM:%smw%\%cv%\Explorer,%ss%Enabled>>"%pth%hklm.list" 620 | echo HKLM:%smw%\%cv%\Explorer\StartupApproved\Run,SecurityHealth>>"%pth%hklm.list" 621 | echo HKLM:%smw%\%cv%\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance,Enabled>>"%pth%hklm.list" 622 | echo HKLM:%smw%\%cv%\Run,SecurityHealth>>"%pth%hklm.list" 623 | echo HKLM:%smw%\%cv%\Run\Autoruns%dl%d,SecurityHealth>>"%pth%hklm.list" 624 | echo HKLM:%smw%\%cv%\Shell Extensions\Approved,{09A47860-11B0-4DA5-AFA5-26D86198A780}>>"%pth%hklm.list" 625 | echo HKLM:%smw%\%cv%\Shell Extensions\Blocked,{09A47860-11B0-4DA5-AFA5-26D86198A780}>>"%pth%hklm.list" 626 | echo HKLM:%smw%\%cv%\WINEVT\Channels\Microsoft-Windows-%wd%\Operational,Enabled>>"%pth%hklm.list" 627 | echo HKLM:%smw%\%cv%\WINEVT\Channels\Microsoft-Windows-%wd%\WHC,Enabled>>"%pth%hklm.list" 628 | echo HKLM:%smw%\%cv%\Policies\Explorer,SettingsPageVisibility>>"%pth%hklm.list" 629 | echo HKLM:%spm%\MRT,DontOfferThroughWUAU>>"%pth%hklm.list" 630 | echo HKLM:%spm%\MRT,DontReportInfectionInformation>>"%pth%hklm.list" 631 | echo HKLM:%spm%\MicrosoftEdge\PhishingFilter>>"%pth%hklm.list" 632 | echo HKLM:%spm%\MicrosoftEdge\PhishingFilter,EnabledV9>>"%pth%hklm.list" 633 | echo HKLM:%spm%\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown>>"%pth%hklm.list" 634 | echo HKLM:%spmwd% Security Center\Account protection,UILockdown>>"%pth%hklm.list" 635 | echo HKLM:%spmwd% Security Center\App and Browser protection,UILockdown>>"%pth%hklm.list" 636 | echo HKLM:%spmwd% Security Center\App and Browser protection,DisallowExploitProtectionOverride>>"%pth%hklm.list" 637 | echo HKLM:%spmwd% Security Center\Device performance and health,UILockdown>>"%pth%hklm.list" 638 | echo HKLM:%spmwd% Security Center\Device security,UILockdown>>"%pth%hklm.list" 639 | echo HKLM:%spmwd% Security Center\Family options,UILockdown>>"%pth%hklm.list" 640 | echo HKLM:%spmwd% Security Center\Firewall and network protection,UILockdown>>"%pth%hklm.list" 641 | echo HKLM:%spmwd% Security Center\Notifications,%dl%Notifications>>"%pth%hklm.list" 642 | echo HKLM:%spmwd% Security Center\Systray,HideSystray>>"%pth%hklm.list" 643 | echo HKLM:%spmwd% Security Center\Virus and threat protection,UILockdown>>"%pth%hklm.list" 644 | echo HKLM:%spmwd%,AllowFastServiceStartup>>"%pth%hklm.list" 645 | echo HKLM:%spmwd%,%dl%AntiSpyware>>"%pth%hklm.list" 646 | echo HKLM:%spmwd%,%dl%LocalAdminMerge>>"%pth%hklm.list" 647 | echo HKLM:%spmwd%,%dl%RoutinelyTakingAction>>"%pth%hklm.list" 648 | echo HKLM:%spmwd%,PUAProtection>>"%pth%hklm.list" 649 | echo HKLM:%spmwd%,RandomizeScheduleTaskTimes>>"%pth%hklm.list" 650 | echo HKLM:%spmwd%,ServiceKeepAlive>>"%pth%hklm.list" 651 | echo HKLM:%spmwd%\Exclusions,%dl%AutoExclusions>>"%pth%hklm.list" 652 | echo HKLM:%spmwd%\MpEngine,EnableFileHashComputation>>"%pth%hklm.list" 653 | echo HKLM:%spmwd%\MpEngine,MpBafsExtendedTimeout>>"%pth%hklm.list" 654 | echo HKLM:%spmwd%\MpEngine,MpCloudBlockLevel>>"%pth%hklm.list" 655 | echo HKLM:%spmwd%\MpEngine,MpEnablePus>>"%pth%hklm.list" 656 | echo HKLM:%spmwd%\NIS\Consumers\IPS,%dl%ProtocolRecognition>>"%pth%hklm.list" 657 | echo HKLM:%spmwd%\NIS\Consumers\IPS,%dl%SignatureRetirement>>"%pth%hklm.list" 658 | echo HKLM:%spmwd%\NIS\Consumers\IPS,ThrottleDetectionEventsRate>>"%pth%hklm.list" 659 | echo HKLM:%spmwd%\Policy Manager,%dl%ScanningNetworkFiles>>"%pth%hklm.list" 660 | echo HKLM:%spmwd%\Real-Time Protection,%dl%BehaviorMonitoring>>"%pth%hklm.list" 661 | echo HKLM:%spmwd%\Real-Time Protection,%dl%InformationProtectionControl>>"%pth%hklm.list" 662 | echo HKLM:%spmwd%\Real-Time Protection,%dl%IntrusionPreventionSystem>>"%pth%hklm.list" 663 | echo HKLM:%spmwd%\Real-Time Protection,%dl%IOAVProtection>>"%pth%hklm.list" 664 | echo HKLM:%spmwd%\Real-Time Protection,%dl%OnAccessProtection>>"%pth%hklm.list" 665 | echo HKLM:%spmwd%\Real-Time Protection,%dl%RawWriteNotification>>"%pth%hklm.list" 666 | echo HKLM:%spmwd%\Real-Time Protection,%dl%RealtimeMonitoring>>"%pth%hklm.list" 667 | echo HKLM:%spmwd%\Real-Time Protection,%dl%ScanOnRealtimeEnable>>"%pth%hklm.list" 668 | echo HKLM:%spmwd%\Real-Time Protection,%dl%ScriptScanning>>"%pth%hklm.list" 669 | echo HKLM:%spmwd%\Real-Time Protection,LocalSettingOverride%dl%BehaviorMonitoring>>"%pth%hklm.list" 670 | echo HKLM:%spmwd%\Real-Time Protection,LocalSettingOverride%dl%IntrusionPreventionSystem>>"%pth%hklm.list" 671 | echo HKLM:%spmwd%\Real-Time Protection,LocalSettingOverride%dl%IOAVProtection>>"%pth%hklm.list" 672 | echo HKLM:%spmwd%\Real-Time Protection,LocalSettingOverride%dl%OnAccessProtection>>"%pth%hklm.list" 673 | echo HKLM:%spmwd%\Real-Time Protection,LocalSettingOverride%dl%RealtimeMonitoring>>"%pth%hklm.list" 674 | echo HKLM:%spmwd%\Real-Time Protection,LocalSettingOverrideRealtimeScanDirection>>"%pth%hklm.list" 675 | echo HKLM:%spmwd%\Real-Time Protection,RealtimeScanDirection>>"%pth%hklm.list" 676 | echo HKLM:%spmwd%\Reporting,%dl%EnhancedNotifications>>"%pth%hklm.list" 677 | echo HKLM:%spmwd%\Reporting,%dl%GenericRePorts>>"%pth%hklm.list" 678 | echo HKLM:%spmwd%\Reporting,WppTracingComponents>>"%pth%hklm.list" 679 | echo HKLM:%spmwd%\Reporting,WppTracingLevel>>"%pth%hklm.list" 680 | echo HKLM:%spmwd%\Scan,%dl%ArchiveScanning>>"%pth%hklm.list" 681 | echo HKLM:%spmwd%\Scan,%dl%CatchupFullScan>>"%pth%hklm.list" 682 | echo HKLM:%spmwd%\Scan,%dl%CatchupQuickScan>>"%pth%hklm.list" 683 | echo HKLM:%spmwd%\Scan,%dl%EmailScanning>>"%pth%hklm.list" 684 | echo HKLM:%spmwd%\Scan,%dl%Heuristics>>"%pth%hklm.list" 685 | echo HKLM:%spmwd%\Scan,%dl%RemovableDriveScanning>>"%pth%hklm.list" 686 | echo HKLM:%spmwd%\Scan,%dl%ReparsePointScanning>>"%pth%hklm.list" 687 | echo HKLM:%spmwd%\Scan,%dl%RestorePoint>>"%pth%hklm.list" 688 | echo HKLM:%spmwd%\Scan,%dl%ScanningMappedNetworkDrivesForFullScan>>"%pth%hklm.list" 689 | echo HKLM:%spmwd%\Scan,%dl%ScanningNetworkFiles>>"%pth%hklm.list" 690 | echo HKLM:%spmwd%\Scan,LowCpuPriority>>"%pth%hklm.list" 691 | echo HKLM:%spmwd%\Scan,ScanOnlyIfIdle>>"%pth%hklm.list" 692 | echo HKLM:%spmwd%\Signature Updates,%dl%ScanOnUpdate>>"%pth%hklm.list" 693 | echo HKLM:%spmwd%\Signature Updates,%dl%ScheduledSignatureUpdateOnBattery>>"%pth%hklm.list" 694 | echo HKLM:%spmwd%\Signature Updates,%dl%UpdateOnStartupWithoutEngine>>"%pth%hklm.list" 695 | echo HKLM:%spmwd%\Signature Updates,ForceUpdateFromMU>>"%pth%hklm.list" 696 | echo HKLM:%spmwd%\Signature Updates,RealtimeSignatureDelivery>>"%pth%hklm.list" 697 | echo HKLM:%spmwd%\Signature Updates,ScheduleTime>>"%pth%hklm.list" 698 | echo HKLM:%spmwd%\Signature Updates,Signature%dl%Notification>>"%pth%hklm.list" 699 | echo HKLM:%spmwd%\Signature Updates,SignatureUpdateCatchupInterval>>"%pth%hklm.list" 700 | echo HKLM:%spmwd%\Signature Updates,UpdateOnStartUp>>"%pth%hklm.list" 701 | echo HKLM:%spmwd%\%ss%,ConfigureAppInstallControl>>"%pth%hklm.list" 702 | echo HKLM:%spmwd%\%ss%,ConfigureAppInstallControlEnabled>>"%pth%hklm.list" 703 | echo HKLM:%spmwd%\Spynet,%dl%BlockAtFirstSeen>>"%pth%hklm.list" 704 | echo HKLM:%spmwd%\Spynet,LocalSettingOverrideSpynetReporting>>"%pth%hklm.list" 705 | echo HKLM:%spmwd%\Spynet,SpynetReporting>>"%pth%hklm.list" 706 | echo HKLM:%spmwd%\Spynet,SubmitSamplesConsent>>"%pth%hklm.list" 707 | echo HKLM:%spmwd%\UX Configuration,UILockdown>>"%pth%hklm.list" 708 | echo HKLM:%spmwd%\%wd% Exploit Guard\ASR,ExploitGuard_ASR_Rules>>"%pth%hklm.list" 709 | echo HKLM:%spmwd%\%wd% Exploit Guard\Controlled Folder Access,EnableControlledFolderAccess>>"%pth%hklm.list" 710 | echo HKLM:%spmwd%\%wd% Exploit Guard\Network Protection,EnableNetworkProtection>>"%pth%hklm.list" 711 | echo HKLM:%spm%\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch>>"%pth%hklm.list" 712 | echo HKLM:%spm%\Windows\DeviceGuard,ConfigureSystemGuardLaunch>>"%pth%hklm.list" 713 | echo HKLM:%spm%\Windows\DeviceGuard,EnableVirtualizationBasedSecurity>>"%pth%hklm.list" 714 | echo HKLM:%spm%\Windows\DeviceGuard,HVCIMATRequired>>"%pth%hklm.list" 715 | echo HKLM:%spm%\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity>>"%pth%hklm.list" 716 | echo HKLM:%spm%\Windows\DeviceGuard,LsaCfgFlags>>"%pth%hklm.list" 717 | echo HKLM:%spm%\Windows\DeviceGuard,RequirePlatformSecurityFeatures>>"%pth%hklm.list" 718 | echo HKLM:%spm%\Windows\System,Enable%ss%>>"%pth%hklm.list" 719 | echo HKLM:%spm%\Windows\WTDS\Components,NotifyMalicious>>"%pth%hklm.list" 720 | echo HKLM:%spm%\Windows\WTDS\Components,NotifyPasswordReuse>>"%pth%hklm.list" 721 | echo HKLM:%spm%\Windows\WTDS\Components,NotifyUnsafeApp>>"%pth%hklm.list" 722 | echo HKLM:%spm%\Windows\WTDS\Components,ServiceEnabled>>"%pth%hklm.list" 723 | echo HKLM:\SOFTWARE\WOW6432Node\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}>>"%pth%hklm.list" 724 | echo HKLM:%scc%\CI\Policy>>"%pth%hklm.list" 725 | echo HKLM:%scc%\CI\State>>"%pth%hklm.list" 726 | echo HKLM:%scc%\Lsa,LsaCfgFlags>>"%pth%hklm.list" 727 | echo HKLM:%scc%\Lsa,RunAsPPL>>"%pth%hklm.list" 728 | echo HKLM:%scc%\Lsa,RunAsPPLBoot>>"%pth%hklm.list" 729 | echo HKLM:%sccd%,EnableVirtualizationBasedSecurity>>"%pth%hklm.list" 730 | echo HKLM:%sccd%,Locked>>"%pth%hklm.list" 731 | echo HKLM:%sccd%,RequirePlatformSecurityFeatures>>"%pth%hklm.list" 732 | echo HKLM:%sccd%,RequireMicrosoftSignedBootChain>>"%pth%hklm.list" 733 | echo HKLM:%sccd%\Capabilities>>"%pth%hklm.list" 734 | echo HKLM:%sccd%\Scenarios\CredentialGuard>>"%pth%hklm.list" 735 | echo HKLM:%sccd%\Scenarios\KeyGuard\Status>>"%pth%hklm.list" 736 | echo HKLM:%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity,Enabled>>"%pth%hklm.list" 737 | echo HKLM:%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity,HVCIMATRequired>>"%pth%hklm.list" 738 | echo HKLM:%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity,Locked>>"%pth%hklm.list" 739 | echo HKLM:%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity,WasEnabledBy>>"%pth%hklm.list" 740 | echo HKLM:%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity,WasEnabledBySysprep>>"%pth%hklm.list" 741 | echo HKLM:%sccd%\Scenarios\KernelShadowStacks,AuditModeEnabled>>"%pth%hklm.list" 742 | echo HKLM:%sccd%\Scenarios\KernelShadowStacks,Enabled>>"%pth%hklm.list" 743 | echo HKLM:%sccd%\Scenarios\KernelShadowStacks,WasEnabledBy>>"%pth%hklm.list" 744 | echo HKLM:%scc%\Ubpm,CriticalMaintenance_%df%erCleanup>>"%pth%hklm.list" 745 | echo HKLM:%scc%\Ubpm,CriticalMaintenance_%df%erVerification>>"%pth%hklm.list" 746 | echo HKLM:%scc%\WMI\Autologger\%df%erApiLogger,Start>>"%pth%hklm.list" 747 | echo HKLM:%scc%\WMI\Autologger\%df%erAuditLogger,Start>>"%pth%hklm.list" 748 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,WebThreatDefSvc_Allow_In>>"%pth%hklm.list" 749 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,WebThreatDefSvc_Allow_Out>>"%pth%hklm.list" 750 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,WebThreatDefSvc_Block_In>>"%pth%hklm.list" 751 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,WebThreatDefSvc_Block_Out>>"%pth%hklm.list" 752 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,Windows%df%er-1>>"%pth%hklm.list" 753 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,Windows%df%er-2>>"%pth%hklm.list" 754 | echo HKLM:%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System,Windows%df%er-3>>"%pth%hklm.list" 755 | echo HKLM:%scs%\MDCoreSvc,Start>>"%pth%hklm.list" 756 | echo HKLM:%scs%\MsSecFlt,Start>>"%pth%hklm.list" 757 | echo HKLM:%scs%\MsSecWfp,Start>>"%pth%hklm.list" 758 | echo HKLM:%scs%\SecurityHealthService,Start>>"%pth%hklm.list" 759 | echo HKLM:%scs%\Sense,Start>>"%pth%hklm.list" 760 | echo HKLM:%scs%\SgrmAgent,Start>>"%pth%hklm.list" 761 | echo HKLM:%scs%\SgrmBroker,Start>>"%pth%hklm.list" 762 | echo HKLM:%scs%\WdNisDrv,Start>>"%pth%hklm.list" 763 | echo HKLM:%scs%\WdNisSvc,Start>>"%pth%hklm.list" 764 | echo HKLM:%scs%\webthreatdefsvc,Start>>"%pth%hklm.list" 765 | echo HKLM:%scs%\webthreatdefusersvc,Start>>"%pth%hklm.list" 766 | echo HKLM:%scs%\Win%df%,Start>>"%pth%hklm.list" 767 | echo HKLM:%scs%\wscsvc,Start>>"%pth%hklm.list" 768 | echo HKLM:%scs%\wtd,Start>>"%pth%hklm.list" 769 | echo HKLM:%scs%\WdBoot,Start>>"%pth%hklm.list" 770 | echo HKLM:%scs%\WdFilter,Start>>"%pth%hklm.list" 771 | echo HKLM:%scs%\MsSecCore,Start>>"%pth%hklm.list" 772 | echo HKLM:%scs%\KslD,Start>>"%pth%hklm.list" 773 | echo HKLM:%scs%\AppID,Start>>"%pth%hklm.list" 774 | echo HKLM:%scs%\AppIDSvc,Start>>"%pth%hklm.list" 775 | echo HKLM:%scs%\applockerfltr,Start>>"%pth%hklm.list" 776 | exit /b 777 | 778 | :BackUpDone 779 | %ra% %ASR% /v "BackUpDone" /t %dw% /d 1 /f>nul 2>&1 780 | set BackUpDone=1 781 | exit /b 782 | 783 | :SetMP 784 | set fc=-Force 785 | %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "%sp% -CloudBlockLevel 0 %fc%;%sp% -%dl%ArchiveScanning 1 %fc%;%sp% -%dl%BehaviorMonitoring 1 %fc%;%sp% -%dl%BlockAtFirstSeen 1 %fc%;%sp% -%dl%BlockAtFirstSeen %fc%;%sp% -%dl%IntrusionPreventionSystem 1 %fc%;%sp% -%dl%IOAVProtection 1 %fc%;%sp% -%dl%PrivacyMode 1 %fc%;%sp% -%dl%RealtimeMonitoring 1 %fc%;%sp% -%dl%ScanningNetworkFiles 1 %fc%;%sp% -%dl%ScriptScanning 1 %fc%;%sp% -EnableNetworkProtection %dl%d %fc%;%sp% -HighThreatDefaultAction 9 %fc%;%sp% -LowThreatDefaultAction 9 %fc%;%sp% -ModerateThreatDefaultAction 9 %fc%;%sp% -PUAProtection %dl%d %fc%;%sp% -SevereThreatDefaultAction 9 %fc%;%sp% -Signature%dl%UpdateOnStartupWithoutEngine 1 %fc%;%sp% -UnknownThreatDefaultAction 9 %fc%" >nul 2>&1 786 | exit /b 787 | 788 | :PoliciesHKCU 789 | %msg% "Applying policies for the current user..." "Применение политик для текущего пользователя..." 790 | %ra% "HKCU%spm%\Edge" /v "%ss%Enabled" /t %dw% /d 0 /f>nul 2>&1 791 | %ra% "HKCU%spm%\Edge" /v "%ss%PuaEnabled" /t %dw% /d 0 /f>nul 2>&1 792 | set UserSettingDone=1 793 | exit /b 794 | 795 | :Policies 796 | %msg% "Applying group policies..." "Применение групповых политик..." 797 | %ra% "HKLM%spmwd%" /v "AllowFastServiceStartup" /t %dw% /d 0 /f>nul 2>&1 798 | %ra% "HKLM%spmwd%" /v "%dl%AntiSpyware" /t %dw% /d 1 /f>nul 2>&1 799 | %ra% "HKLM%spmwd%" /v "%dl%LocalAdminMerge" /t %dw% /d 1 /f>nul 2>&1 800 | %ra% "HKLM%spmwd%" /v "%dl%RoutinelyTakingAction" /t %dw% /d 1 /f>nul 2>&1 801 | %ra% "HKLM%spmwd%" /v "PUAProtection" /t %dw% /d 0 /f>nul 2>&1 802 | %ra% "HKLM%spmwd%" /v "RandomizeScheduleTaskTimes" /t %dw% /d 0 /f>nul 2>&1 803 | %ra% "HKLM%spmwd%" /v "ServiceKeepAlive" /t %dw% /d 0 /f>nul 2>&1 804 | %ra% "HKLM%spmwd%\Exclusions" /v "%dl%AutoExclusions" /t %dw% /d 1 /f>nul 2>&1 805 | %ra% "HKLM%spmwd%\MpEngine" /v "EnableFileHashComputation" /t %dw% /d 0 /f>nul 2>&1 806 | %ra% "HKLM%spmwd%\MpEngine" /v "MpBafsExtendedTimeout" /t %dw% /d 0 /f>nul 2>&1 807 | %ra% "HKLM%spmwd%\MpEngine" /v "MpCloudBlockLevel" /t %dw% /d 0 /f>nul 2>&1 808 | %ra% "HKLM%spmwd%\MpEngine" /v "MpEnablePus" /t %dw% /d 0 /f>nul 2>&1 809 | %ra% "HKLM%spmwd%\NIS\Consumers\IPS" /v "%dl%ProtocolRecognition" /t %dw% /d 1 /f>nul 2>&1 810 | %ra% "HKLM%spmwd%\NIS\Consumers\IPS" /v "%dl%SignatureRetirement" /t %dw% /d 1 /f>nul 2>&1 811 | %ra% "HKLM%spmwd%\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t %dw% /d 0 /f>nul 2>&1 812 | %ra% "HKLM%spmwd%\Policy Manager" /v "%dl%ScanningNetworkFiles" /t %dw% /d 1 /f>nul 2>&1 813 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%BehaviorMonitoring" /t %dw% /d 1 /f>nul 2>&1 814 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%IOAVProtection" /t %dw% /d 1 /f>nul 2>&1 815 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%InformationProtectionControl" /t %dw% /d 1 /f>nul 2>&1 816 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%IntrusionPreventionSystem" /t %dw% /d 1 /f>nul 2>&1 817 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%OnAccessProtection" /t %dw% /d 1 /f>nul 2>&1 818 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%RawWriteNotification" /t %dw% /d 1 /f>nul 2>&1 819 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%RealtimeMonitoring" /t %dw% /d 1 /f>nul 2>&1 820 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%ScanOnRealtimeEnable" /t %dw% /d 1 /f>nul 2>&1 821 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "%dl%ScriptScanning" /t %dw% /d 1 /f>nul 2>&1 822 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "LocalSettingOverride%dl%BehaviorMonitoring" /t %dw% /d 0 /f>nul 2>&1 823 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "LocalSettingOverride%dl%IOAVProtection" /t %dw% /d 0 /f>nul 2>&1 824 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "LocalSettingOverride%dl%IntrusionPreventionSystem" /t %dw% /d 0 /f>nul 2>&1 825 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "LocalSettingOverride%dl%OnAccessProtection" /t %dw% /d 0 /f>nul 2>&1 826 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "LocalSettingOverride%dl%RealtimeMonitoring" /t %dw% /d 0 /f>nul 2>&1 827 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "LocalSettingOverrideRealtimeScanDirection" /t %dw% /d 0 /f>nul 2>&1 828 | %ra% "HKLM%spmwd%\Real-Time Protection" /v "RealtimeScanDirection" /t %dw% /d 2 /f>nul 2>&1 829 | %ra% "HKLM%spmwd%\Spynet" /v "LocalSettingOverrideSpynetReporting" /t %dw% /d 0 /f>nul 2>&1 830 | %ra% "HKLM%spmwd%\Spynet" /v "SpynetReporting" /t %dw% /d 0 /f>nul 2>&1 831 | %ra% "HKLM%spmwd%\Spynet" /v "SubmitSamplesConsent" /t %dw% /d 2 /f>nul 2>&1 832 | %ra% "HKLM%spmwd%\Spynet" /v "%dl%BlockAtFirstSeen" /t %dw% /d 1 /f>nul 2>&1 833 | %ra% "HKLM%spmwd%\Signature Updates" /v "%dl%ScanOnUpdate" /t %dw% /d 1 /f>nul 2>&1 834 | %ra% "HKLM%spmwd%\Signature Updates" /v "%dl%ScheduledSignatureUpdateOnBattery" /t %dw% /d 1 /f>nul 2>&1 835 | %ra% "HKLM%spmwd%\Signature Updates" /v "%dl%UpdateOnStartupWithoutEngine" /t %dw% /d 1 /f>nul 2>&1 836 | %ra% "HKLM%spmwd%\Signature Updates" /v "ForceUpdateFromMU" /t %dw% /d 0 /f>nul 2>&1 837 | %ra% "HKLM%spmwd%\Signature Updates" /v "RealtimeSignatureDelivery" /t %dw% /d 0 /f>nul 2>&1 838 | %ra% "HKLM%spmwd%\Signature Updates" /v "ScheduleTime" /t %dw% /d "5184" /f>nul 2>&1 839 | %ra% "HKLM%spmwd%\Signature Updates" /v "Signature%dl%Notification" /t %dw% /d 1 /f>nul 2>&1 840 | %ra% "HKLM%spmwd%\Signature Updates" /v "SignatureUpdateCatchupInterval" /t %dw% /d 2 /f>nul 2>&1 841 | %ra% "HKLM%spmwd%\Signature Updates" /v "UpdateOnStartUp" /t %dw% /d 0 /f>nul 2>&1 842 | %ra% "HKLM%spmwd%\Reporting" /v "%dl%EnhancedNotifications" /t %dw% /d 1 /f>nul 2>&1 843 | %ra% "HKLM%spmwd%\Reporting" /v "%dl%GenericRePorts" /t %dw% /d 1 /f>nul 2>&1 844 | %ra% "HKLM%spmwd%\Reporting" /v "WppTracingComponents" /t %dw% /d 0 /f>nul 2>&1 845 | %ra% "HKLM%spmwd%\Reporting" /v "WppTracingLevel" /t %dw% /d 0 /f>nul 2>&1 846 | %ra% "HKLM%spmwd%\Scan" /v "%dl%ArchiveScanning" /t %dw% /d 1 /f>nul 2>&1 847 | %ra% "HKLM%spmwd%\Scan" /v "%dl%CatchupFullScan" /t %dw% /d 1 /f>nul 2>&1 848 | %ra% "HKLM%spmwd%\Scan" /v "%dl%CatchupQuickScan" /t %dw% /d 1 /f>nul 2>&1 849 | %ra% "HKLM%spmwd%\Scan" /v "%dl%EmailScanning" /t %dw% /d 1 /f>nul 2>&1 850 | %ra% "HKLM%spmwd%\Scan" /v "%dl%Heuristics" /t %dw% /d 1 /f>nul 2>&1 851 | %ra% "HKLM%spmwd%\Scan" /v "%dl%RemovableDriveScanning" /t %dw% /d 1 /f>nul 2>&1 852 | %ra% "HKLM%spmwd%\Scan" /v "%dl%ReparsePointScanning" /t %dw% /d 1 /f>nul 2>&1 853 | %ra% "HKLM%spmwd%\Scan" /v "%dl%RestorePoint" /t %dw% /d 1 /f>nul 2>&1 854 | %ra% "HKLM%spmwd%\Scan" /v "%dl%ScanningMappedNetworkDrivesForFullScan" /t %dw% /d 1 /f>nul 2>&1 855 | %ra% "HKLM%spmwd%\Scan" /v "%dl%ScanningNetworkFiles" /t %dw% /d 1 /f>nul 2>&1 856 | %ra% "HKLM%spmwd%\Scan" /v "LowCpuPriority" /t %dw% /d 1 /f>nul 2>&1 857 | %ra% "HKLM%spmwd%\Scan" /v "ScanOnlyIfIdle" /t %dw% /d 1 /f>nul 2>&1 858 | %ra% "HKLM%spmwd%\%wd% Exploit Guard\ASR" /v "ExploitGuard_ASR_Rules" /t %dw% /d 0 /f>nul 2>&1 859 | %ra% "HKLM%spmwd%\%wd% Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t %dw% /d 0 /f>nul 2>&1 860 | %ra% "HKLM%spmwd%\%wd% Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t %dw% /d 0 /f>nul 2>&1 861 | %ra% "HKLM%spmwd% Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t %dw% /d 1 /f>nul 2>&1 862 | :: 863 | %ra% "HKLM%spm%\Windows\System" /v "Enable%ss%" /t %dw% /d 0 /f>nul 2>&1 864 | %ra% "HKLM%spmwd%\%ss%" /v "ConfigureAppInstallControlEnabled" /t %dw% /d 1 /f>nul 2>&1 865 | %ra% "HKLM%spmwd%\%ss%" /v "ConfigureAppInstallControl" /t %sz% /d "Anywhere" /f>nul 2>&1 866 | %ra% "HKLM%spm%\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t %dw% /d 0 /f>nul 2>&1 867 | %ra% "HKLM%spm%\MicrosoftEdge\PhishingFilter" /v "PreventOverrideAppRepUnknown" /t %dw% /d 0 /f>nul 2>&1 868 | %ra% "HKLM%spm%\MicrosoftEdge\PhishingFilter" /v "" /t %dw% /d 0 /f>nul 2>&1 869 | %ra% "HKLM%spm%\Windows\WTDS\Components" /v "ServiceEnabled" /t %dw% /d 0 /f>nul 2>&1 870 | %ra% "HKLM%spm%\Windows\WTDS\Components" /v "NotifyUnsafeApp" /t %dw% /d 0 /f>nul 2>&1 871 | %ra% "HKLM%spm%\Windows\WTDS\Components" /v "NotifyMalicious" /t %dw% /d 0 /f>nul 2>&1 872 | %ra% "HKLM%spm%\Windows\WTDS\Components" /v "NotifyPasswordReuse" /t %dw% /d 0 /f>nul 2>&1 873 | :: 874 | %rd% "HKLM%spm%\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f>nul 2>&1 875 | %rd% "HKLM%spm%\Windows\DeviceGuard" /v "LsaCfgFlags" /f>nul 2>&1 876 | %rd% "HKLM%spm%\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f>nul 2>&1 877 | %rd% "HKLM%spm%\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f>nul 2>&1 878 | %rd% "HKLM%spm%\Windows\DeviceGuard" /v "ConfigureKernelShadowStacksLaunch" /f>nul 2>&1 879 | %ra% "HKLM%spm%\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t %dw% /d 0 /f>nul 2>&1 880 | %ra% "HKLM%spm%\Windows\DeviceGuard" /v "HVCIMATRequired" /t %dw% /d 0 /f>nul 2>&1 881 | :: 882 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Account protection" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 883 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\App and Browser protection" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 884 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Device performance and health" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 885 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Device security" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 886 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Family options" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 887 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Firewall and network protection" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 888 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Notifications" /v "%dl%Notifications" /t %dw% /d 1 /f>nul 2>&1 889 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Systray" /v "HideSystray" /t %dw% /d 1 /f>nul 2>&1 890 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd% Security Center\Virus and threat protection" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 891 | %ifNdef% NoSecHealth %ra% "HKLM%spmwd%\UX Configuration" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 892 | :: 893 | %ra% "HKLM%spm%\MRT" /v DontOfferThroughWUAU /t %dw% /d 1 /f>nul 2>&1 894 | %ra% "HKLM%spm%\MRT" /v DontReportInfectionInformation /t %dw% /d 1 /f>nul 2>&1 895 | :: 896 | set "HidePath=HKLM%smw%\%cv%\Policies\Explorer" 897 | %ifdef% NoSecHealth goto :EndHideSetting 898 | %rq% "%HidePath%" /v "SettingsPageVisibility">nul 2>&1||(%ra% "%HidePath%" /v "SettingsPageVisibility" /t %sz% /d "hide:windows%df%er" /f>nul 2>&1&goto :EndHideSetting) 899 | for /f "tokens=2*" %%a in ('%rq% "%HidePath%" /v "SettingsPageVisibility" 2^>nul') do set "SettingsPageVisibility=%%b" 900 | if "%SettingsPageVisibility%"==";" set SettingsPageVisibility= 901 | if "%SettingsPageVisibility%"=="hide:" set SettingsPageVisibility= 902 | %ifNdef% SettingsPageVisibility %ra% "%HidePath%" /v "SettingsPageVisibility" /t %sz% /d "hide:windows%df%er" /f>nul 2>&1 903 | echo %SettingsPageVisibility% | find /i "windows%df%er">nul 2>&1&&goto :EndHideSetting 904 | %ra% "%HidePath%" /v "SettingsPageVisibility" /t %sz% /d "%SettingsPageVisibility%;windows%df%er" /f>nul 2>&1 905 | :EndHideSetting 906 | %gpupdate% /force >nul 2>&1 907 | %ra% %ASR% /v "PoliciesDone" /t %dw% /d 1 /f>nul 2>&1 908 | set PoliciesDone"=1 909 | exit /b 910 | 911 | :RegistryHKCU 912 | %msg% "Applying registry settings for the current user..." "Применение настроек реестра для текущего пользователя..." 913 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Cache Maintenance" /%dl%>nul 2>&1 914 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Cleanup" /%dl%>nul 2>&1 915 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Scheduled Scan" /%dl%>nul 2>&1 916 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Verification" /%dl%>nul 2>&1 917 | %schtasks% /Change /TN "Microsoft\Windows\AppID\%ss%Specific" /%dl%>nul 2>&1 918 | :: 919 | %ra% "HKCU%smw%\%cv%\AppHost" /v "EnableWebContentEvaluation" /t %dw% /d 0 /f>nul 2>&1 920 | %ra% "HKCU%smw%\%cv%\AppHost" /v "PreventOverride" /t %dw% /d 0 /f>nul 2>&1 921 | :: 922 | %ra% "HKCU%smw% Security Health\State" /v "AppAndBrowser_Edge%ss%Off" /t %dw% /d 1 /f>nul 2>&1 923 | %ra% "HKCU%smw% Security Health\State" /v "AppAndBrowser_StoreApps%ss%Off" /t %dw% /d 1 /f>nul 2>&1 924 | %ra% "HKCU%smw% Security Health\State" /v "AppAndBrowser_Pua%ss%Off" /t %dw% /d 1 /f>nul 2>&1 925 | :: 926 | %ra% "HKCU%smw%\%cv%\Policies\Attachments" /v "SaveZoneInformation" /t %dw% /d 2 /f>nul 2>&1 927 | %ra% "HKCU%smw%\%cv%\Policies\Attachments" /v "HideZoneInfoOnProperties" /t %dw% /d 1 /f>nul 2>&1 928 | %ra% "HKCU%smw%\%cv%\Policies\Attachments" /v "ScanWithAntiVirus" /t %dw% /d 1 /f>nul 2>&1 929 | :: 930 | %ifNdef% NoSecHealth %ra% "HKCU%smw%\%cv%\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 931 | %ifNdef% NoSecHealth call :BlockUWP sechealth 932 | %ifNdef% NoSecHealth call :BlockUWP chxapp 933 | call :ASR 934 | set UserSettingDone=1 935 | exit /b 936 | 937 | :ASR 938 | set "ASRs=" 939 | set "ASRd=" 940 | set "ASRn=0" 941 | for /f "tokens=1" %%i in ('%rq% "HKLM%smwd%\%wd% Exploit Guard\ASR\Rules" 2^>nul ^| %findstr% /B /C:" "') do call :addrule "%%i" 942 | if %ASRn% gtr 0 %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "Set-MpPreference -AttackSurfaceReductionRules_Ids %ASRs% -AttackSurfaceReductionRules_Actions %ASRd%" >nul 2>&1 943 | exit /b 944 | 945 | :addrule 946 | %ifdef% ASRs (set "ASRs=%ASRs%,%~1"&set "ASRd=%ASRd%,Disabled"&set /a ASRn+=1) 947 | %ifNdef% ASRs (set "ASRs=%~1"&set "ASRd=Disabled"&set /a ASRn=1) 948 | exit /b 949 | 950 | :Registry 951 | %msg% "Applying registry settings..." "Применение настроек реестра..." 952 | :: 953 | %ra% "HKLM%smw%\%cv%\AppHost" /v "EnableWebContentEvaluation" /t %dw% /d 0 /f>nul 2>&1 954 | :: 955 | %rd% "HKLM%smw%\%cv%\Shell Extensions\Approved" /v "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f>nul 2>&1 956 | %ra% "HKLM%smw%\%cv%\Shell Extensions\Blocked" /v "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /t %sz% /d "" /f>nul 2>&1 957 | %regsvr32% /u "%SystemDrive%\Program Files\%wd%\shellext.dll" /s>nul 2>&1 958 | :: 959 | %ra% "HKLM%scl%\exefile\shell\open" /v "No%ss%" /t %sz% /d "" /f>nul 2>&1 960 | %ra% "HKLM%scl%\exefile\shell\runas" /v "No%ss%" /t %sz% /d "" /f>nul 2>&1 961 | %ra% "HKLM%scl%\exefile\shell\runasuser" /v "No%ss%" /t %sz% /d "" /f>nul 2>&1 962 | :: 963 | %ifNdef% NoSecHealth %ra% "HKLM%smwd% Security Center\Notifications" /v "%dl%EnhancedNotifications" /t %dw% /d 1 /f>nul 2>&1 964 | %ifNdef% NoSecHealth %ra% "HKLM%smwd% Security Center\Virus and threat protection" /v "FilesBlockedNotification%dl%d" /t %dw% /d 1 /f>nul 2>&1 965 | %ifNdef% NoSecHealth %ra% "HKLM%smwd% Security Center\Virus and threat protection" /v "NoActionNotification%dl%d" /t %dw% /d 1 /f>nul 2>&1 966 | %ifNdef% NoSecHealth %ra% "HKLM%smwd% Security Center\Virus and threat protection" /v "SummaryNotification%dl%d" /t %dw% /d 1 /f>nul 2>&1 967 | %ra% "HKLM%smwd%" /v "%dl%AntiSpyware" /t %dw% /d 1 /f>nul 2>&1 968 | %ra% "HKLM%smwd%" /v "%dl%AntiVirus" /t %dw% /d 1 /f>nul 2>&1 969 | %ra% "HKLM%smwd%" /v "HybridModeEnabled" /t %dw% /d 0 /f>nul 2>&1 970 | %rd% "HKLM%smwd%" /v "IsServiceRunning" /f>nul 2>&1 971 | %ra% "HKLM%smwd%" /v "PUAProtection" /t %dw% /d 0 /f>nul 2>&1 972 | %ra% "HKLM%smwd%" /v "ProductStatus" /t %dw% /d 2 /f>nul 2>&1 973 | %ra% "HKLM%smwd%" /v "ProductType" /t %dw% /d 0 /f>nul 2>&1 974 | %rq% "HKLM%smwd%\CoreService">nul 2>&1||goto :SkipCoreService 975 | %ra% "HKLM%smwd%\CoreService" /v "%dl%CoreService1DSTelemetry" /t %dw% /d 1 /f>nul 2>&1 976 | %ra% "HKLM%smwd%\CoreService" /v "%dl%CoreServiceECSIntegration" /t %dw% /d 1 /f>nul 2>&1 977 | %ra% "HKLM%smwd%\CoreService" /v "Md%dl%ResController" /t %dw% /d 1 /f>nul 2>&1 978 | :SkipCoreService 979 | %ra% "HKLM%smwd%\Features" /v "EnableCACS" /t %dw% /d 0 /f>nul 2>&1 980 | %ra% "HKLM%smwd%\Features" /v "Protection" /t %dw% /d 0 /f>nul 2>&1 981 | %ra% "HKLM%smwd%\Features" /v "TamperProtection" /t %dw% /d 0 /f>nul 2>&1 982 | %ra% "HKLM%smwd%\Features" /v "TamperProtectionSource" /t %dw% /d 0 /f>nul 2>&1 983 | %rq% "HKLM%smwd%\EcsConfigs">nul 2>&1||goto :SkipEcsConfigs 984 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "EnableAdsSymlinkMitigation_MpRamp" /t %dw% /d 0 /f>nul 2>&1 985 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "EnableBmProcessInfoMetastoreMaintenance_MpRamp" /t %dw% /d 0 /f>nul 2>&1 986 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "EnableCIWorkaroundOnCFAEnabled_MpRamp" /t %dw% /d 0 /f>nul 2>&1 987 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "Md%dl%ResController" /t %dw% /d 1 /f>nul 2>&1 988 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "Mp%dl%PropBagNotification" /t %dw% /d 1 /f>nul 2>&1 989 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "Mp%dl%ResourceMonitoring" /t %dw% /d 1 /f>nul 2>&1 990 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpEnableNoMetaStoreProcessInfoContainer" /t %dw% /d 0 /f>nul 2>&1 991 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpEnablePurgeHipsCache" /t %dw% /d 0 /f>nul 2>&1 992 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_AdvertiseLogonMinutesFeature" /t %dw% /d 0 /f>nul 2>&1 993 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_EnableCommonMetricsEvents" /t %dw% /d 0 /f>nul 2>&1 994 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_EnableImpersonationOnNetworkResourceScan" /t %dw% /d 0 /f>nul 2>&1 995 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_EnablePersistedScanV2" /t %dw% /d 0 /f>nul 2>&1 996 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_Kernel_EnableFolderGuardOnPostCreate" /t %dw% /d 0 /f>nul 2>&1 997 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_Kernel_SystemIoRequestWorkOnBehalfOf" /t %dw% /d 0 /f>nul 2>&1 998 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_Md%dl%1ds" /t %dw% /d 1 /f>nul 2>&1 999 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_MdEnableCoreService" /t %dw% /d 0 /f>nul 2>&1 1000 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_RtpEnable%df%erConfigMonitoring" /t %dw% /d 0 /f>nul 2>&1 1001 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpForceDllHostScanExeOnOpen" /t %dw% /d 0 /f>nul 2>&1 1002 | :SkipEcsConfigs 1003 | %ra% "HKLM%smwd%\Real-Time Protection" /v "%dl%AsyncScanOnOpen" /t %dw% /d 1 /f>nul 2>&1 1004 | %ra% "HKLM%smwd%\Real-Time Protection" /v "%dl%RealtimeMonitoring" /t %dw% /d 1 /f>nul 2>&1 1005 | %ra% "HKLM%smwd%\Real-Time Protection" /v "Dpa%dl%d" /t %dw% /d 1 /f>nul 2>&1 1006 | %ra% "HKLM%smwd%\Scan" /v "AvgCPULoadFactor" /t %dw% /d "10" /f>nul 2>&1 1007 | %ra% "HKLM%smwd%\Scan" /v "%dl%ArchiveScanning" /t %dw% /d 1 /f>nul 2>&1 1008 | %ra% "HKLM%smwd%\Scan" /v "%dl%EmailScanning" /t %dw% /d 1 /f>nul 2>&1 1009 | %ra% "HKLM%smwd%\Scan" /v "%dl%RemovableDriveScanning" /t %dw% /d 1 /f>nul 2>&1 1010 | %ra% "HKLM%smwd%\Scan" /v "%dl%ScanningMappedNetworkDrivesForFullScan" /t %dw% /d 1 /f>nul 2>&1 1011 | %ra% "HKLM%smwd%\Scan" /v "%dl%ScanningNetworkFiles" /t %dw% /d 1 /f>nul 2>&1 1012 | %ra% "HKLM%smwd%\Scan" /v "LowCpuPriority" /t %dw% /d 1 /f>nul 2>&1 1013 | %ra% "HKLM%smwd%\Spynet" /v "MAPSconcurrency" /t %dw% /d 0 /f>nul 2>&1 1014 | %ra% "HKLM%smwd%\Spynet" /v "SpyNetReporting" /t %dw% /d 0 /f>nul 2>&1 1015 | %ra% "HKLM%smwd%\Spynet" /v "SpyNetReportingLocation" /t REG_MULTI_SZ /d "https://0.0.0.0" /f>nul 2>&1 1016 | %ra% "HKLM%smwd%\Spynet" /v "SubmitSamplesConsent" /t %dw% /d 0 /f>nul 2>&1 1017 | %rd% "HKLM%smwd%\Threats\ThreatIDDefaultAction" /f>nul 2>&1 1018 | %ra% "HKLM%smwd%\Threats\ThreatSeverityDefaultAction" /v "0" /t %dw% /d 9 /f>nul 2>&1 1019 | %ra% "HKLM%smwd%\Threats\ThreatSeverityDefaultAction" /v "1" /t %dw% /d 9 /f>nul 2>&1 1020 | %ra% "HKLM%smwd%\Threats\ThreatSeverityDefaultAction" /v "2" /t %dw% /d 9 /f>nul 2>&1 1021 | %ra% "HKLM%smwd%\Threats\ThreatSeverityDefaultAction" /v "3" /t %dw% /d 9 /f>nul 2>&1 1022 | %ra% "HKLM%smwd%\Threats\ThreatSeverityDefaultAction" /v "4" /t %dw% /d 9 /f>nul 2>&1 1023 | %ra% "HKLM%smwd%\Threats\ThreatSeverityDefaultAction" /v "5" /t %dw% /d 9 /f>nul 2>&1 1024 | %rd% "HKLM%smwd%\Threats\ThreatTypeDefaultAction" /f>nul 2>&1" 1025 | %ra% "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "HeartbeatTrackingIndex" /t %dw% /d 0 /f>nul 2>&1 1026 | %ra% "HKLM%smwd%\%wd% Exploit Guard\ASR" /v "EnableASRConsumers" /t %dw% /d 0 /f>nul 2>&1 1027 | %rd% "HKLM%smwd%\%wd% Exploit Guard\ASR\Rules" /f>nul 2>&1 1028 | %ra% "HKLM%smwd%\%wd% Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t %dw% /d 0 /f>nul 2>&1 1029 | %ra% "HKLM%smwd%\%wd% Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t %dw% /d 0 /f>nul 2>&1 1030 | :: 1031 | %ifNdef% NoSecHealth %rq% "HKLM%smw%\%cv%\Run" /v "SecurityHealth">nul 2>&1&&( 1032 | %rd% "HKLM%smw%\%cv%\Run" /v "SecurityHealth" /f>nul 2>&1 1033 | %ra% "HKLM%smw%\%cv%\Run\Autoruns%dl%d" /v "SecurityHealth" /t REG_EXPAND_SZ /d "^%windir^%\system32\SecurityHealthSystray.exe" /f>nul 2>&1 1034 | %ra% "HKLM%smw%\%cv%\Explorer\StartupApproved\Run" /v "SecurityHealth" /t REG_BINARY /d "FFFFFFFFFFFFFFFFFFFFFFFF" /f>nul 2>&1 1035 | ) 1036 | :: 1037 | %ifNdef% NoSecHealth %ra% "HKLM%smw%\%cv%\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 1038 | :: 1039 | %ra% "HKLM%scc%\CI\Policy" /v "VerifiedAndReputablePolicyState" /t %dw% /d 0 /f>nul 2>&1 1040 | %rd% "HKLM%scc%\CI\State" /f>nul 2>&1 1041 | %ra% "HKLM%smwd%" /v "SmartLockerMode" /t %dw% /d 0 /f>nul 2>&1 1042 | %ra% "HKLM%smwd%" /v "VerifiedAndReputableTrustModeEnabled" /t %dw% /d 0 /f>nul 2>&1 1043 | :: 1044 | %ifNdef% NoSecHealth %ra% "HKLM%smwd% Security Center\Device security" /v "UILockdown" /t %dw% /d 1 /f>nul 2>&1 1045 | %rd% "HKLM%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity" /v "WasEnabledBy" /f>nul 2>&1 1046 | %rd% "HKLM%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity" /v "WasEnabledBySysprep" /f>nul 2>&1 1047 | %ra% "HKLM%sccd%" /v "EnableVirtualizationBasedSecurity" /t %dw% /d 0 /f>nul 2>&1 1048 | %ra% "HKLM%sccd%" /v "RequirePlatformSecurityFeatures" /t %dw% /d 0 /f>nul 2>&1 1049 | %ra% "HKLM%sccd%" /v "RequireMicrosoftSignedBootChain" /t %dw% /d 0 /f>nul 2>&1 1050 | %ra% "HKLM%sccd%" /v "Locked" /t %dw% /d 0 /f>nul 2>&1 1051 | %rd% "HKLM%sccd%\Capabilities" /f>nul 2>&1 1052 | %ra% "HKLM%sccd%\Scenarios\CredentialGuard" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 1053 | %ra% "HKLM%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 1054 | %ra% "HKLM%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t %dw% /d 0 /f>nul 2>&1 1055 | %ra% "HKLM%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t %dw% /d 0 /f>nul 2>&1 1056 | %ra% "HKLM%sccd%\Scenarios\KernelShadowStacks" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 1057 | %ra% "HKLM%sccd%\Scenarios\KernelShadowStacks" /v "AuditModeEnabled" /t %dw% /d 0 /f>nul 2>&1 1058 | %ra% "HKLM%sccd%\Scenarios\KernelShadowStacks" /v "WasEnabledBy" /t %dw% /d 4 /f>nul 2>&1 1059 | 1060 | %ra% "HKLM%scc%\Lsa" /v "LsaCfgFlags" /t %dw% /d 0 /f>nul 2>&1 1061 | %ra% "HKLM%scc%\Lsa" /v "RunAsPPL" /t %dw% /d 0 /f>nul 2>&1 1062 | %ra% "HKLM%scc%\Lsa" /v "RunAsPPLBoot" /t %dw% /d 0 /f>nul 2>&1 1063 | %rd% "HKLM%smwci%\LSASS.exe" /v "AuditLevel" /f>nul 2>&1 1064 | :: 1065 | %ra% "HKLM%smw%\%cv%\WINEVT\Channels\Microsoft-Windows-%wd%\Operational" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 1066 | %ra% "HKLM%smw%\%cv%\WINEVT\Channels\Microsoft-Windows-%wd%\WHC" /v "Enabled" /t %dw% /d 0 /f>nul 2>&1 1067 | %ra% "HKLM%scc%\WMI\Autologger\%df%erApiLogger" /v "Start" /t %dw% /d 0 /f>nul 2>&1 1068 | %ra% "HKLM%scc%\WMI\Autologger\%df%erAuditLogger" /v "Start" /t %dw% /d 0 /f>nul 2>&1 1069 | :: 1070 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Allow_In" /f>nul 2>&1 1071 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Allow_Out" /f>nul 2>&1 1072 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Block_In" /f>nul 2>&1 1073 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Block_Out" /f>nul 2>&1 1074 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "Windows%df%er-1" /f>nul 2>&1 1075 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "Windows%df%er-2" /f>nul 2>&1 1076 | %rd% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "Windows%df%er-3" /f>nul 2>&1 1077 | :: 1078 | %rd% "HKLM%scc%\Ubpm" /v "CriticalMaintenance_%df%erCleanup" /f>nul 2>&1 1079 | %rd% "HKLM%scc%\Ubpm" /v "CriticalMaintenance_%df%erVerification" /f>nul 2>&1 1080 | :: 1081 | %tk% /im %ss%.exe /t /f>nul 2>&1 1082 | %rd% "HKLM%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /f>nul 2>&1 1083 | %rd% "HKLM%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /f>nul 2>&1 1084 | %rd% "HKLM\SOFTWARE\WOW6432Node\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /f>nul 2>&1 1085 | :: 1086 | %ra% "HKLM%smw%\%cv%\Explorer" /v "%ss%Enabled" /t %sz% /d "Off" /f>nul 2>&1 1087 | %ra% "HKLM%smw%\%cv%\Explorer" /v "AicEnabled" /t %sz% /d "Anywhere" /f>nul 2>&1 1088 | exit /b 1089 | 1090 | :Services 1091 | %msg% "Disabling the launch of services and drivers..." "Отключение запуска служб и драйверов..." 1092 | for %%s in (Win%df% MDCoreSvc WdNisSvc Sense wscsvc SgrmBroker webthreatdefsvc webthreatdefusersvc WdNisDrv WdBoot WdFilter SgrmAgent MsSecWfp MsSecFlt MsSecCore wtd KslD AppID AppIDSvc applockerfltr) do %rq% "HKLM%scs%\%%~s">nul 2>&1&&%ra% "HKLM%scs%\%%~s" /v "Start" /t %dw% /d 4 /f>nul 2>&1 1093 | %ifNdef% NoSecHealth %rq% "HKLM%scs%\SecurityHealthService">nul 2>&1&&%ra% "HKLM%scs%\SecurityHealthService" /v "Start" /t %dw% /d 4 /f>nul 2>&1 1094 | :: 1095 | %rd% "HKLM%smw% NT\CurentVersion\Svchost" /v "WebThreatDefense" /f>nul 2>&1 1096 | exit /b 1097 | 1098 | :Block 1099 | %msg% "Block process launch via fake Debugger" "Блокировка запуска процессов через поддельный отладчик" 1100 | %ra% "HKLM%smwci%\ConfigSecurityPolicy.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1101 | %ra% "HKLM%smwci%\DlpUserAgent.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1102 | %ra% "HKLM%smwci%\%df%erbootstrapper.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1103 | %ra% "HKLM%smwci%\mpam-d.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1104 | %ra% "HKLM%smwci%\mpam-fe.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1105 | %ra% "HKLM%smwci%\mpam-fe_bd.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1106 | %ra% "HKLM%smwci%\mpas-d.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1107 | %ra% "HKLM%smwci%\mpas-fe.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1108 | %ra% "HKLM%smwci%\mpas-fe_bd.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1109 | %ra% "HKLM%smwci%\mpav-d.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1110 | %ra% "HKLM%smwci%\mpav-fe.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1111 | %ra% "HKLM%smwci%\mpav-fe_bd.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1112 | %ra% "HKLM%smwci%\MpCmdRun.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1113 | %ra% "HKLM%smwci%\MpCopyAccelerator.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1114 | %ra% "HKLM%smwci%\Mp%df%erCoreService.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1115 | %ra% "HKLM%smwci%\MpDlpCmd.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1116 | %ra% "HKLM%smwci%\MpDlpService.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1117 | %ra% "HKLM%smwci%\mpextms.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1118 | %ra% "HKLM%smwci%\MpSigStub.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1119 | %ra% "HKLM%smwci%\MsMpEng.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1120 | %ra% "HKLM%smwci%\MsSense.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1121 | %ra% "HKLM%smwci%\NisSrv.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1122 | %ra% "HKLM%smwci%\OfflineScannerShell.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1123 | %ra% "HKLM%smwci%\secinit.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1124 | %ra% "HKLM%smwci%\SecureKernel.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1125 | %ifNdef% NoSecHealth %ra% "HKLM%smwci%\SecurityHealthHost.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1126 | %ifNdef% NoSecHealth %ra% "HKLM%smwci%\SecurityHealthService.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1127 | %ifNdef% NoSecHealth %ra% "HKLM%smwci%\SecurityHealthSystray.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1128 | %ra% "HKLM%smwci%\SenseAP.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1129 | %ra% "HKLM%smwci%\SenseAPToast.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1130 | %ra% "HKLM%smwci%\SenseCM.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1131 | %ra% "HKLM%smwci%\SenseGPParser.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1132 | %ra% "HKLM%smwci%\SenseIdentity.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1133 | %ra% "HKLM%smwci%\SenseImdsCollector.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1134 | %ra% "HKLM%smwci%\SenseIR.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1135 | %ra% "HKLM%smwci%\SenseNdr.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1136 | %ra% "HKLM%smwci%\SenseSampleUploader.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1137 | %ra% "HKLM%smwci%\SenseTVM.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1138 | %ra% "HKLM%smwci%\SgrmBroker.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1139 | %ra% "HKLM%smwci%\%ss%.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1140 | if exist "%sysdir%\MRT.exe" %ra% "HKLM%smwci%\MRT.exe" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1141 | exit /b 1142 | 1143 | :BlockProcess 1144 | %ra% "HKLM%smwci%\%~1" /v "Debugger" /t %sz% /d "dllhost.exe" /f>nul 2>&1 1145 | exit /b %errorlevel% 1146 | 1147 | :UnBlockProcess 1148 | set "unbl=HKLM%smwci%\%~1" 1149 | %rd% "%unbl%" /v "Debugger" /f>nul 2>&1 1150 | %rq% "%unbl%" /v *>nul 2>&1 1151 | if %errorlevel%==1 %rd% "%unbl%" /f>nul 2>&1 1152 | exit /b %errorlevel% 1153 | 1154 | :RestoreCurrentUser 1155 | %msg% "Restore default setting for current user..." "Восстановление настроек по умолчанию для текущего пользователя..." 1156 | %regsvr32% /i "%SystemDrive%\Program Files\%wd%\shellext.dll" /s>nul 2>&1 1157 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Cache Maintenance" /Enable>nul 2>&1 1158 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Cleanup" /Enable>nul 2>&1 1159 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Scheduled Scan" /Enable>nul 2>&1 1160 | %schtasks% /Change /TN "Microsoft\Windows\%wd%\%wd% Verification" /Enable>nul 2>&1 1161 | %schtasks% /Change /TN "Microsoft\Windows\AppID\%ss%Specific" /Enable>nul 2>&1 1162 | %rd% "HKCU%smw% Security Health\State" /v "AppAndBrowser_Edge%ss%Off" /f>nul 2>&1 1163 | %rd% "HKCU%smw% Security Health\State" /v "AppAndBrowser_Pua%ss%Off" /f>nul 2>&1 1164 | %rd% "HKCU%smw% Security Health\State" /v "AppAndBrowser_StoreApps%ss%Off" /f>nul 2>&1 1165 | %rd% "HKCU%smw%\%cv%\AppHost" /v "EnableWebContentEvaluation" /t %dw% /d "1" /f>nul 2>&1 1166 | %rd% "HKCU%smw%\%cv%\AppHost" /v "PreventOverride" /f>nul 2>&1 1167 | %rd% "HKCU%smw%\%cv%\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f>nul 2>&1 1168 | %rd% "HKCU%smw%\%cv%\Policies\Attachments" /f>nul 2>&1 1169 | %rd% "HKCU%spm%\Edge" /f>nul 2>&1 1170 | call :UnBlockUWP sechealth 1171 | call :UnBlockUWP chxapp 1172 | if exist "%save%MySecurityDefaults.reg" %reg% import "%save%MySecurityDefaults.reg">nul 2>&1 1173 | exit /b 1174 | 1175 | :Restore 1176 | %msg% "Restore default setting for system..." "Восстановление настроек по умолчанию для всей системы..." 1177 | set "HidePath=HKLM%smw%\%cv%\Policies\Explorer" 1178 | for /f "tokens=2*" %%a in ('%rq% "%HidePath%" /v "SettingsPageVisibility" 2^>nul') do set "SettingsPageVisibility=%%b" 1179 | %ifNdef% SettingsPageVisibility goto :SkipRestoreVisibility 1180 | echo %SettingsPageVisibility% | find /i "windows%df%er">nul 2>&1||goto :SkipRestoreVisibility 1181 | set SettingsPageVisibility=%SettingsPageVisibility:windowsdefender;=% 1182 | set SettingsPageVisibility=%SettingsPageVisibility:windowsdefender=% 1183 | if "%SettingsPageVisibility%"=="hide:" set SettingsPageVisibility= 1184 | %ra% "%HidePath%" /v "SettingsPageVisibility" /t %sz% /d "%SettingsPageVisibility%" /f>nul 2>&1 1185 | :SkipRestoreVisibility 1186 | %ra% "HKLM%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /ve /t %sz% /d "%ss%" /f>nul 2>&1 1187 | %ra% "HKLM%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /v "AppID" /t %sz% /d "{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /f>nul 2>&1 1188 | %ra% "HKLM%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32" /ve /t %sz% /d "%windir%\System32\%ss%ps.dll" /f>nul 2>&1 1189 | %ra% "HKLM%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32" /v "ThreadingModel" /t %sz% /d "Both" /f>nul 2>&1 1190 | %ra% "HKLM%scl%\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\LocalServer32" /ve /t %sz% /d "%windir%\System32\%ss%.exe" /f>nul 2>&1 1191 | %ifNdef% ProgramFiles(x86) goto :SkipRestoreSmartScreen 1192 | %ra% "HKLM%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /ve /t %sz% /d "%ss%" /f>nul 2>&1 1193 | %ra% "HKLM%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /v "AppID" /t %sz% /d "{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /f>nul 2>&1 1194 | %ra% "HKLM%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32" /ve /t %sz% /d "%windir%\SysWOW64\%ss%ps.dll" /f>nul 2>&1 1195 | %ra% "HKLM%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\InProcServer32" /v "ThreadingModel" /t %sz% /d "Both" /f>nul 2>&1 1196 | %ra% "HKLM%scl%\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}\LocalServer32" /ve /t %sz% /d "%windir%\SysWOW64\%ss%.exe" /f>nul 2>&1 1197 | :SkipRestoreSmartScreen 1198 | %rd% "HKLM%scl%\exefile\shell\open" /v "No%ss%" /f>nul 2>&1 1199 | %rd% "HKLM%scl%\exefile\shell\runas" /v "No%ss%" /f>nul 2>&1 1200 | %rd% "HKLM%scl%\exefile\shell\runasuser" /v "No%ss%" /f>nul 2>&1 1201 | %ra% "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "HeartbeatTrackingIndex" /t %dw% /d "2" /f>nul 2>&1 1202 | %rd% "HKLM%smwd% Security Center\Device security" /v "UILockdown" /f>nul 2>&1 1203 | %rd% "HKLM%smwd% Security Center\Notifications" /v "%dl%EnhancedNotifications" /f>nul 2>&1 1204 | %rd% "HKLM%smwd% Security Center\Virus and threat protection" /v "FilesBlockedNotification%dl%d" /f>nul 2>&1 1205 | %rd% "HKLM%smwd% Security Center\Virus and threat protection" /v "NoActionNotification%dl%d" /f>nul 2>&1 1206 | %rd% "HKLM%smwd% Security Center\Virus and threat protection" /v "SummaryNotification%dl%d" /f>nul 2>&1 1207 | %ra% "HKLM%smwd%" /v "%dl%AntiSpyware" /t %dw% /d "0" /f>nul 2>&1 1208 | %ra% "HKLM%smwd%" /v "%dl%AntiVirus" /t %dw% /d "0" /f>nul 2>&1 1209 | %ra% "HKLM%smwd%" /v "HybridModeEnabled" /t %dw% /d "1" /f>nul 2>&1 1210 | %ra% "HKLM%smwd%" /v "IsServiceRunning" /t %dw% /d "1" /f>nul 2>&1 1211 | %ra% "HKLM%smwd%" /v "ProductStatus" /t %dw% /d "0" /f>nul 2>&1 1212 | %ra% "HKLM%smwd%" /v "ProductType" /t %dw% /d "2" /f>nul 2>&1 1213 | %ra% "HKLM%smwd%" /v "PUAProtection" /t %dw% /d "2" /f>nul 2>&1 1214 | %ra% "HKLM%smwd%" /v "SmartLockerMode" /t %dw% /d "1" /f>nul 2>&1 1215 | %ra% "HKLM%smwd%" /v "VerifiedAndReputableTrustModeEnabled" /t %dw% /d "1" /f>nul 2>&1 1216 | %ra% "HKLM%smwd%" /v "SacLearningModeSwitch" /t %dw% /d "0" /f>nul 2>&1 1217 | %rq% "HKLM%smwd%\CoreService">nul 2>&1||goto :SkipRestoreCoreService 1218 | %ra% "HKLM%smwd%\CoreService" /v "%dl%CoreService1DSTelemetry" /t %dw% /d "0" /f>nul 2>&1 1219 | %ra% "HKLM%smwd%\CoreService" /v "%dl%CoreServiceECSIntegration" /t %dw% /d "0" /f>nul 2>&1 1220 | %ra% "HKLM%smwd%\CoreService" /v "Md%dl%ResController" /t %dw% /d "0" /f>nul 2>&1 1221 | :SkipRestoreCoreService 1222 | %ra% "HKLM%smwd%\Features" /v "EnableCACS" /t %dw% /d "0" /f>nul 2>&1 1223 | %rd% "HKLM%smwd%\Features" /v "Protection" /f>nul 2>&1 1224 | %ra% "HKLM%smwd%\Features" /v "TamperProtection" /t %dw% /d "1" /f>nul 2>&1 1225 | %ra% "HKLM%smwd%\Features" /v "TamperProtectionSource" /t %dw% /d "5" /f>nul 2>&1 1226 | %rq% "HKLM%smwd%\EcsConfigs">nul 2>&1||goto :SkipRestoreEcsConfigs 1227 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "EnableAdsSymlinkMitigation_MpRamp" /t %dw% /d "1" /f>nul 2>&1 1228 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "EnableBmProcessInfoMetastoreMaintenance_MpRamp" /t %dw% /d "1" /f>nul 2>&1 1229 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "EnableCIWorkaroundOnCFAEnabled_MpRamp" /t %dw% /d "1" /f>nul 2>&1 1230 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "Md%dl%ResController" /t %dw% /d "0" /f>nul 2>&1 1231 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "Mp%dl%PropBagNotification" /t %dw% /d "0" /f>nul 2>&1 1232 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "Mp%dl%ResourceMonitoring" /t %dw% /d "0" /f>nul 2>&1 1233 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpEnableNoMetaStoreProcessInfoContainer" /t %dw% /d "1" /f>nul 2>&1 1234 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpEnablePurgeHipsCache" /t %dw% /d "1" /f>nul 2>&1 1235 | %rd% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_AdvertiseLogonMinutesFeature" /f>nul 2>&1 1236 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_EnableCommonMetricsEvents" /t %dw% /d "1" /f>nul 2>&1 1237 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_EnableImpersonationOnNetworkResourceScan" /t %dw% /d "1" /f>nul 2>&1 1238 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_EnablePersistedScanV2" /t %dw% /d "1" /f>nul 2>&1 1239 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_Kernel_EnableFolderGuardOnPostCreate" /t %dw% /d "1" /f>nul 2>&1 1240 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_Kernel_SystemIoRequestWorkOnBehalfOf" /t %dw% /d "1" /f>nul 2>&1 1241 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_Md%dl%1ds" /t %dw% /d "0" /f>nul 2>&1 1242 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_MdEnableCoreService" /t %dw% /d "1" /f>nul 2>&1 1243 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpFC_RtpEnable%df%erConfigMonitoring" /t %dw% /d "1" /f>nul 2>&1 1244 | %ra% "HKLM%smwd%\Features\EcsConfigs" /v "MpForceDllHostScanExeOnOpen" /t %dw% /d "1" /f>nul 2>&1 1245 | :SkipRestoreEcsConfigs 1246 | %ra% "HKLM%smwd%\Real-Time Protection" /v "%dl%AsyncScanOnOpen" /t %dw% /d "0" /f>nul 2>&1 1247 | %ra% "HKLM%smwd%\Real-Time Protection" /v "%dl%RealtimeMonitoring" /t %dw% /d "0" /f>nul 2>&1 1248 | %ra% "HKLM%smwd%\Real-Time Protection" /v "Dpa%dl%d" /t %dw% /d "0" /f>nul 2>&1 1249 | %rd% "HKLM%smwd%\Scan" /v "AvgCPULoadFactor" /f>nul 2>&1 1250 | %ra% "HKLM%smwd%\Scan" /v "%dl%ArchiveScanning" /t %dw% /d "0" /f>nul 2>&1 1251 | %ra% "HKLM%smwd%\Scan" /v "%dl%EmailScanning" /t %dw% /d "0" /f>nul 2>&1 1252 | %ra% "HKLM%smwd%\Scan" /v "%dl%RemovableDriveScanning" /t %dw% /d "0" /f>nul 2>&1 1253 | %ra% "HKLM%smwd%\Scan" /v "%dl%ScanningMappedNetworkDrivesForFullScan" /t %dw% /d "0" /f>nul 2>&1 1254 | %ra% "HKLM%smwd%\Scan" /v "%dl%ScanningNetworkFiles" /f>nul 2>&1 1255 | %rd% "HKLM%smwd%\Scan" /v "LowCpuPriority" /f>nul 2>&1 1256 | %ra% "HKLM%smwd%\Spynet" /v "MAPSconcurrency" /t %dw% /d "1" /f>nul 2>&1 1257 | %ra% "HKLM%smwd%\Spynet" /v "SpyNetReporting" /t %dw% /d "2" /f>nul 2>&1 1258 | %ra% "HKLM%smwd%\Spynet" /v "SpyNetReportingLocation" /t %sz% /d "SOAP:https://wdcp.microsoft.com/WdCpSrvc.asmx SOAP:https://wdcpalt.microsoft.com/WdCpSrvc.asmx REST:https://wdcp.microsoft.com/wdcp.svc/submitReport REST:https://wdcpalt.microsoft.com/wdcp.svc/submitReport BOND:https://wdcp.microsoft.com/wdcp.svc/bond/submitreport BOND:https://wdcpalt.microsoft.com/wdcp.svc/bond/submitreport" /f>nul 2>&1 1259 | %ra% "HKLM%smwd%\Spynet" /v "SubmitSamplesConsent" /t %dw% /d "1" /f>nul 2>&1 1260 | %rd% "HKLM%smwd%\%wd% Exploit Guard\ASR" /v "EnableASRConsumers" /f>nul 2>&1 1261 | %rd% "HKLM%smwd%\%wd% Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f>nul 2>&1 1262 | %ra% "HKLM%smwd%\%wd% Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t %dw% /d "0" /f>nul 2>&1 1263 | %rd% "HKLM%smwci%\ConfigSecurityPolicy.exe" /f>nul 2>&1 1264 | %rd% "HKLM%smwci%\DlpUserAgent.exe" /f>nul 2>&1 1265 | %rd% "HKLM%smwci%\%df%erbootstrapper.exe" /f>nul 2>&1 1266 | %rd% "HKLM%smwci%\mpam-d.exe" /f>nul 2>&1 1267 | %rd% "HKLM%smwci%\mpam-fe.exe" /f>nul 2>&1 1268 | %rd% "HKLM%smwci%\mpam-fe_bd.exe" /f>nul 2>&1 1269 | %rd% "HKLM%smwci%\mpas-d.exe" /f>nul 2>&1 1270 | %rd% "HKLM%smwci%\mpas-fe.exe" /f>nul 2>&1 1271 | %rd% "HKLM%smwci%\mpas-fe_bd.exe" /f>nul 2>&1 1272 | %rd% "HKLM%smwci%\mpav-d.exe" /f>nul 2>&1 1273 | %rd% "HKLM%smwci%\mpav-fe.exe" /f>nul 2>&1 1274 | %rd% "HKLM%smwci%\mpav-fe_bd.exe" /f>nul 2>&1 1275 | %rd% "HKLM%smwci%\MpCmdRun.exe" /f>nul 2>&1 1276 | %rd% "HKLM%smwci%\MpCopyAccelerator.exe" /f>nul 2>&1 1277 | %rd% "HKLM%smwci%\Mp%df%erCoreService.exe" /f>nul 2>&1 1278 | %rd% "HKLM%smwci%\MpDlpCmd.exe" /f>nul 2>&1 1279 | %rd% "HKLM%smwci%\MpDlpService.exe" /f>nul 2>&1 1280 | %rd% "HKLM%smwci%\mpextms.exe" /f>nul 2>&1 1281 | %rd% "HKLM%smwci%\MpSigStub.exe" /f>nul 2>&1 1282 | %rd% "HKLM%smwci%\MsMpEng.exe" /v "Debugger" /f>nul 2>&1 1283 | %rd% "HKLM%smwci%\MsSense.exe" /v "Debugger" /f>nul 2>&1 1284 | %rd% "HKLM%smwci%\NisSrv.exe" /f>nul 2>&1 1285 | %rd% "HKLM%smwci%\OfflineScannerShell.exe" /f>nul 2>&1 1286 | %rd% "HKLM%smwci%\secinit.exe" /f>nul 2>&1 1287 | %rd% "HKLM%smwci%\SecureKernel.exe" /f>nul 2>&1 1288 | %rd% "HKLM%smwci%\SecurityHealthHost.exe" /f>nul 2>&1 1289 | %rd% "HKLM%smwci%\SecurityHealthService.exe" /f>nul 2>&1 1290 | %rd% "HKLM%smwci%\SecurityHealthSystray.exe" /f>nul 2>&1 1291 | %rd% "HKLM%smwci%\SenseAP.exe" /f>nul 2>&1 1292 | %rd% "HKLM%smwci%\SenseAPToast.exe" /f>nul 2>&1 1293 | %rd% "HKLM%smwci%\SenseCM.exe" /f>nul 2>&1 1294 | %rd% "HKLM%smwci%\SenseGPParser.exe" /f>nul 2>&1 1295 | %rd% "HKLM%smwci%\SenseIdentity.exe" /f>nul 2>&1 1296 | %rd% "HKLM%smwci%\SenseImdsCollector.exe" /f>nul 2>&1 1297 | %rd% "HKLM%smwci%\SenseIR.exe" /f>nul 2>&1 1298 | %rd% "HKLM%smwci%\SenseNdr.exe" /f>nul 2>&1 1299 | %rd% "HKLM%smwci%\SenseSampleUploader.exe" /f>nul 2>&1 1300 | %rd% "HKLM%smwci%\SenseTVM.exe" /f>nul 2>&1 1301 | %rd% "HKLM%smwci%\SgrmBroker.exe" /f>nul 2>&1 1302 | %rd% "HKLM%smwci%\%ss%.exe" /f>nul 2>&1 1303 | %rd% "HKLM%smwci%\MRT.exe" /v "Debugger" /f>nul 2>&1 1304 | %ra% "HKLM%smw% NT\%cv%\Svchost" /v "WebThreatDefense" /t %sz% /d "webthreatdefsvc" /f>nul 2>&1 1305 | %ra% "HKLM%smw%\%cv%\AppHost" /v "EnableWebContentEvaluation" /t %dw% /d "1" /f>nul 2>&1 1306 | %rd% "HKLM%smw%\%cv%\Explorer" /v "AicEnabled" /f>nul 2>&1 1307 | %rd% "HKLM%smw%\%cv%\Explorer" /v "%ss%Enabled" /f>nul 2>&1 1308 | %ra% "HKLM%smw%\%cv%\Explorer\StartupApproved\Run" /v "SecurityHealth" /t REG_BINARY /d "040000000000000000000000" /f>nul 2>&1 1309 | %rd% "HKLM%smw%\%cv%\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /f>nul 2>&1 1310 | %ra% "HKLM%smw%\%cv%\Run" /v "SecurityHealth" /t %sz% /d "C:\WINDOWS\system32\SecurityHealthSystray.exe" /f>nul 2>&1 1311 | %rd% "HKLM%smw%\%cv%\Run\Autoruns%dl%d" /f>nul 2>&1 1312 | %ra% "HKLM%smw%\%cv%\Shell Extensions\Approved" /v "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /t %sz% /d "EPP" /f>nul 2>&1 1313 | %rd% "HKLM%smw%\%cv%\Shell Extensions\Blocked" /f>nul 2>&1 1314 | %ra% "HKLM%smw%\%cv%\WINEVT\Channels\Microsoft-Windows-%wd%\Operational" /v "Enabled" /t %dw% /d "1" /f>nul 2>&1 1315 | %ra% "HKLM%smw%\%cv%\WINEVT\Channels\Microsoft-Windows-%wd%\WHC" /v "Enabled" /t %dw% /d "1" /f>nul 2>&1 1316 | %rd% "HKLM%spm%\MicrosoftEdge\PhishingFilter" /f>nul 2>&1 1317 | %rd% "HKLM%spmwd% Security Center" /f>nul 2>&1 1318 | %rd% "HKLM%spmwd%" /f>nul 2>&1 1319 | %rd% "HKLM%spmwd%\%wd% Exploit Guard" /f>nul 2>&1 1320 | %rd% "HKLM%spm%\Windows\DeviceGuard" /f>nul 2>&1 1321 | %rd% "HKLM%spm%\Windows\System" /v "Enable%ss%" /f>nul 2>&1 1322 | %rd% "HKLM%spm%\Windows\WTDS\Components" /f>nul 2>&1 1323 | %ra% "HKLM\SOFTWARE\WOW6432Node\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /ve /t %sz% /d "%ss%" /f>nul 2>&1 1324 | %ra% "HKLM\SOFTWARE\WOW6432Node\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /v "AppID" /t %sz% /d "{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d}" /f>nul 2>&1 1325 | %ra% "HKLM\SYSTEM\ControlSet001\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t %dw% /d "1" /f>nul 2>&1 1326 | %ra% "HKLM\SYSTEM\ControlSet001\Control\CI\Protected" /v "VerifiedAndReputablePolicyStateMinValueSeen" /t %dw% /d "2" /f>nul 2>&1 1327 | %ra% "HKLM%scc%\CI\Policy" /v "VerifiedAndReputablePolicyState" /t %dw% /d "1" /f>nul 2>&1 1328 | %ra% "HKLM%scc%\CI\Protected" /v "VerifiedAndReputablePolicyStateMinValueSeen" /t %dw% /d "2" /f>nul 2>&1 1329 | %rd% "HKLM%scc%\CI\State" /f>nul 2>&1 1330 | %rd% "HKLM%sccd%" /v "EnableVirtualizationBasedSecurity" /f>nul 2>&1 1331 | %rd% "HKLM%sccd%" /v "Locked" /f>nul 2>&1 1332 | %rd% "HKLM%sccd%" /v "RequirePlatformSecurityFeatures" /f>nul 2>&1 1333 | %rd% "HKLM%sccd%" /v "RequireMicrosoftSignedBootChain" /f>nul 2>&1 1334 | %rd% "HKLM%sccd%\Scenarios\CredentialGuard" /f>nul 2>&1 1335 | %rd% "HKLM%sccd%\Scenarios\HypervisorEnforcedCodeIntegrity" /f>nul 2>&1 1336 | %rd% "HKLM%sccd%\Scenarios\KernelShadowStacks" /f>nul 2>&1 1337 | %rd% "HKLM%sccd%\Capabilities" /f>nul 2>&1 1338 | %ra% "HKLM%scc%\Ubpm" /v "CriticalMaintenance_%df%erCleanup" /t %sz% /d "NT Task\Microsoft\Windows\%wd%\%wd% Cleanup" /f>nul 2>&1 1339 | %ra% "HKLM%scc%\Ubpm" /v "CriticalMaintenance_%df%erVerification" /t %sz% /d "NT Task\Microsoft\Windows\%wd%\%wd% Verification" /f>nul 2>&1 1340 | %ra% "HKLM%scc%\WMI\Autologger\%df%erApiLogger" /v "Start" /t %dw% /d "1" /f>nul 2>&1 1341 | %ra% "HKLM%scc%\WMI\Autologger\%df%erAuditLogger" /v "Start" /t %dw% /d "1" /f>nul 2>&1 1342 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Allow_In" /t %sz% /d "v2.0|Action=Allow|Dir=In|App=%%SystemRoot%%\system32\svchost.exe|Svc=WebThreatDefSvc|LPort=443|Protocol=6|Name=Allow WebThreatDefSvc to receive from port 443|" /f>nul 2>&1 1343 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Allow_Out" /t %sz% /d "v2.0|Action=Allow|Dir=Out|App=%%SystemRoot%%\system32\svchost.exe|Svc=WebThreatDefSvc|RPort=443|Protocol=6|Name=Allow WebThreatDefSvc to send to port 443|" /f>nul 2>&1 1344 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Block_In" /t %sz% /d "v2.0|Action=Block|Dir=In|App=%%SystemRoot%%\system32\svchost.exe|Svc=WebThreatDefSvc|Name=Block inbound traffic to WebThreatDefSvc|" /f>nul 2>&1 1345 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "WebThreatDefSvc_Block_Out" /t %sz% /d "v2.0|Action=Block|Dir=Out|App=%%SystemRoot%%\system32\svchost.exe|Svc=WebThreatDefSvc|Name=Block outbound traffic to WebThreatDefSvc|" /f>nul 2>&1 1346 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "Windows%df%er-1" /t %sz% /d "v2.0|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|App=%%ProgramFiles%%\%wd%\MsMpEng.exe|Svc=Win%df%|Name=Allow Out TCP traffic from Win%df%|" /f>nul 2>&1 1347 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "Windows%df%er-2" /t %sz% /d "v2.0|Action=Block|Active=TRUE|Dir=In|App=%%ProgramFiles%%\%wd%\MsMpEng.exe|Svc=Win%df%|Name=Block All In traffic to Win%df%|" /f>nul 2>&1 1348 | %ra% "HKLM%scs%\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System" /v "Windows%df%er-3" /t %sz% /d "v2.0|Action=Block|Active=TRUE|Dir=Out|App=%%ProgramFiles%%\%wd%\MsMpEng.exe|Svc=Win%df%|Name=Block All Out traffic from Win%df%|" /f>nul 2>&1 1349 | %rq% "HKLM%scs%\MDCoreSvc">nul 2>&1&&%ra% "HKLM%scs%\MDCoreSvc" /v "Start" /t %dw% /d 2 /f>nul 2>&1 1350 | %rq% "HKLM%scs%\MsSecCore">nul 2>&1&&%ra% "HKLM%scs%\MsSecCore" /v "Start" /t %dw% /d 0 /f>nul 2>&1 1351 | %rq% "HKLM%scs%\MsSecFlt">nul 2>&1&&%ra% "HKLM%scs%\MsSecFlt" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1352 | %rq% "HKLM%scs%\MsSecWfp">nul 2>&1&&%ra% "HKLM%scs%\MsSecWfp" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1353 | %rq% "HKLM%scs%\SecurityHealthService">nul 2>&1&&%ra% "HKLM%scs%\SecurityHealthService" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1354 | %rq% "HKLM%scs%\Sense">nul 2>&1&&%ra% "HKLM%scs%\Sense" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1355 | %rq% "HKLM%scs%\SgrmAgent">nul 2>&1&&%ra% "HKLM%scs%\SgrmAgent" /v "Start" /t %dw% /d 0 /f>nul 2>&1 1356 | %rq% "HKLM%scs%\SgrmBroker">nul 2>&1&&%ra% "HKLM%scs%\SgrmBroker" /v "Start" /t %dw% /d 2 /f>nul 2>&1 1357 | %rq% "HKLM%scs%\WdBoot">nul 2>&1&&%ra% "HKLM%scs%\WdBoot" /v "Start" /t %dw% /d 0 /f>nul 2>&1 1358 | %rq% "HKLM%scs%\WdFilter">nul 2>&1&&%ra% "HKLM%scs%\WdFilter" /v "Start" /t %dw% /d 0 /f>nul 2>&1 1359 | %rq% "HKLM%scs%\WdNisDrv">nul 2>&1&&%ra% "HKLM%scs%\WdNisDrv" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1360 | %rq% "HKLM%scs%\WdNisSvc">nul 2>&1&&%ra% "HKLM%scs%\WdNisSvc" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1361 | %rq% "HKLM%scs%\webthreatdefsvc">nul 2>&1&&%ra% "HKLM%scs%\webthreatdefsvc" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1362 | %rq% "HKLM%scs%\webthreatdefusersvc">nul 2>&1&&%ra% "HKLM%scs%\webthreatdefusersvc" /v "Start" /t %dw% /d 2 /f>nul 2>&1 1363 | %rq% "HKLM%scs%\Win%df%">nul 2>&1&&%ra% "HKLM%scs%\Win%df%" /v "Start" /t %dw% /d 2 /f>nul 2>&1 1364 | %rq% "HKLM%scs%\wscsvc">nul 2>&1&&%ra% "HKLM%scs%\wscsvc" /v "Start" /t %dw% /d 2 /f>nul 2>&1 1365 | %rq% "HKLM%scs%\wtd">nul 2>&1&&%ra% "HKLM%scs%\wtd" /v "Start" /t %dw% /d 2 /f>nul 2>&1 1366 | %rq% "HKLM%scs%\KslD">nul 2>&1&&%ra% "HKLM%scs%\KslD" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1367 | %rq% "HKLM%scs%\AppID">nul 2>&1&&%ra% "HKLM%scs%\AppID" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1368 | %rq% "HKLM%scs%\AppIDSvc">nul 2>&1&&%ra% "HKLM%scs%\AppIDSvc" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1369 | %rq% "HKLM%scs%\applockerfltr">nul 2>&1&&%ra% "HKLM%scs%\applockerfltr" /v "Start" /t %dw% /d 3 /f>nul 2>&1 1370 | call :UnBlockUWP sechealth 1371 | call :UnBlockUWP chxapp 1372 | if exist "%save%MySecurityDefaults.reg" %reg% import "%save%MySecurityDefaults.reg">nul 2>&1 1373 | %gpupdate% /force >nul 2>&1 1374 | exit /b 1375 | 1376 | :ListUWP 1377 | set "UWP=%~1" 1378 | set UwpName= 1379 | %rq% "%uwpsearch%" /f "*%UWP%*" /k>nul 2>&1&&for /f "tokens=*" %%a in ('%rq% "%uwpsearch%" /f "*%UWP%*" /k^|^|goto :EndSearchListUWP') do (set "UwpName=%%~nxa"&goto :EndSearchListUWP) 1380 | :EndSearchListUWP 1381 | %ifNdef% UwpName exit /b 1382 | echo HKLM:%smw%\%cv%\Appx\AppxAllUserStore\Deprovisioned\%UwpName%>>"%pth%hkcu.list" 1383 | echo HKLM:%smw%\%cv%\Appx\AppxAllUserStore\EndOfLife\S-1-5-18\%UwpName%>>"%pth%hkcu.list" 1384 | for /f "tokens=*" %%a in ('%rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore" ^| %findstr% /R /C:"S-1-5-21-*"') do ( 1385 | echo HKLM:%smw%\%cv%\Appx\AppxAllUserStore\EndOfLife\%%~nxa\%UwpName%>>"%pth%hkcu.list" 1386 | echo HKLM:%smw%\%cv%\Appx\AppxAllUserStore\Deleted\EndOfLife\%%~nxa\%UwpName%>>"%pth%hkcu.list" 1387 | echo HKLM:%smw%\%cv%\Appx\AppxAllUserStore\%%~nxa\%UwpName%>>"%pth%hkcu.list") 1388 | exit /b 1389 | 1390 | :BlockUWP 1391 | set "UWP=%~1" 1392 | set UwpName= 1393 | %rq% "%uwpsearch%" /f "*%UWP%*" /k>nul 2>&1&&for /f "tokens=2" %%a in ('%rq% "%uwpsearch%" /f "*%UWP%*" /k^|^|goto :EndSearchBlockUWP') do (set "UwpName=%%~nxa"&goto :EndSearchBlockUWP) 1394 | :EndSearchBlockUWP 1395 | %ifNdef% UwpName exit /b 1396 | %ra% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\Deprovisioned\%UwpName%" /f>nul 2>&1 1397 | %ra% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\EndOfLife\S-1-5-18\%UwpName%" /f>nul 2>&1 1398 | for /f "tokens=*" %%a in ('%rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore" ^| %findstr% /R /C:"S-1-5-21-*"') do ( 1399 | %ra% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\EndOfLife\%%~nxa\%UwpName%" /f>nul 2>&1 1400 | %ra% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\Deleted\EndOfLife\%%~nxa\%UwpName%" /f>nul 2>&1 1401 | ) 1402 | exit /b 1403 | 1404 | :UnBlockUWP 1405 | set "UWP=%~1" 1406 | set UwpName= 1407 | set UwpPath= 1408 | %rq% "%uwpsearch%" /f "*%UWP%*" /k>nul 2>&1&&for /f "tokens=*" %%a in ('%rq% "%uwpsearch%" /f "*%UWP%*" /k') do (set "UwpName=%%~nxa"&goto :EndSearchUnBlockUWP) 1409 | %rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\InboxApplications" /f "*%UWP%*" /k>nul 2>&1&&for /f "tokens=*" %%a in ('%rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\InboxApplications" /f "*%UWP%*" /k') do (set "UwpName=%%~nxa"&goto :EndSearchUnBlockUWP) 1410 | %rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\Deprovisioned" /f "*%UWP%*" /k>nul 2>&1&&for /f "tokens=*" %%a in ('%rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\Deprovisioned" /f "*%UWP%*" /k') do (set "UwpName=%%~nxa"&goto :EndSearchUnBlockUWP) 1411 | :EndSearchUnBlockUWP 1412 | %ifNdef% UwpName exit /b 1413 | for /f "tokens=2*" %%a in ('%rq% "%uwpsearch%\%UwpName%" /v "Path" 2^>nul') do set "UwpPath=%%b" 1414 | %ifNdef% UwpPath for /f "tokens=2*" %%a in ('%rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\InboxApplications\%UwpName%" /v "Path" 2^>nul') do set "UwpPath=%%b" 1415 | %ifNdef% UwpPath for /d %%f in ("%windir%\SystemApps\*%UWP%*") do set "UwpPath=%%f\AppXManifest.xml" 1416 | %ifNdef% UwpPath for /d %%f in ("%ProgramFiles%\WindowsApps\*%UWP%*") do set "UwpPath=%%f\AppXManifest.xml" 1417 | %rd% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\Deprovisioned\%UwpName%" /f >nul 2>&1 1418 | %rd% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\EndOfLife\S-1-5-18\%UwpName%" /f >nul 2>&1 1419 | for /f "tokens=*" %%a in ('%rq% "HKLM%smw%\%cv%\Appx\AppxAllUserStore" ^| %findstr% /R /C:"S-1-5-21-*"') do ( 1420 | %rd% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\EndOfLife\%%~nxa\%UwpName%" /f >nul 2>&1 1421 | %rd% "HKLM%smw%\%cv%\Appx\AppxAllUserStore\Deleted\EndOfLife\%%~nxa\%UwpName%" /f >nul 2>&1 1422 | ) 1423 | %ifNdef% SAFEBOOT_OPTION %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "Reset-AppxPackage -Package %UwpName%" >nul 2>&1 1424 | %ifdef% UwpPath %powershell% -MTA -NoP -NoL -NonI -EP Bypass -c "Add-AppxPackage -%dl%DevelopmentMode -Register '%UwpPath%'" >nul 2>&1 1425 | exit /b 1426 | 1427 | :WinRE 1428 | set winre= 1429 | for /f "delims=" %%i in ('%reagentc% /info ^| %findstr% /i "Enabled"') do (if not errorlevel 1 (set winre=1)) 1430 | %ifNdef% winre %reagentc% /enable>nul 2>&1 1431 | for /f "delims=" %%i in ('%reagentc% /info ^| %findstr% /i "Enabled"') do (if not errorlevel 1 (set winre=1)) 1432 | %ifNdef% winre %msg% "Windows Recovery Environment is missing or cannot be enabled" "В системе отсутсвует Среда восстановления Windows или её невозвможно включить"&exit /b 1433 | %reagentc% /boottore>nul 2>&1 1434 | manage-bde -protectors %sys%: -%dl% -rebootcount 2 1435 | %msg% "The computer will now reboot intoWindows Recovery Environment" "Компьютер сейчас перезагрузиться в Среду восстановления Windows" 1436 | %shutdown% /r /f /t 3 /c "Reboot WinRE" 1437 | %timeout% 4 1438 | exit /b 1439 | 1440 | :SAC 1441 | reg load HKLM\sac %sys%:\windows\system32\config\system 1442 | reg add HKLM\sac\controlset001\control\ci\policy /v VerifiedAndReputablePolicyState /t REG_DWORD /d 2 /f 1443 | reg add HKLM\sac\controlset001\control\ci\protected /v VerifiedAndReputablePolicyStateMinValueSeen /t REG_DWORD /d 2 /f 1444 | reg unload HKLM\sac 1445 | reg load HKLM\sac2 %sys%:\windows\system32\config\SOFTWARE 1446 | reg add "HKLM\sac2\Microsoft\Windows Defender" /v SacLearningModeSwitch /t REG_DWORD /d 0 /f 1447 | reg unload HKLM\sac2 1448 | goto :EOF 1449 | 1450 | :MiniHelp 1451 | cls 1452 | echo. 1453 | %msg% "Group Policies" "Групповые политики" 1454 | echo. 1455 | %msg% "Legally. Documented. Incomplete." "Легально. Документированно. Неполноценно." 1456 | %msg% "Only known group policies are applied through the registry" "Применяются только известные групповые политики через реестр" 1457 | %msg% "Drivers, services, and background processes are active but do not perform any actions" "Драйверы, службы и фоновые процессы активны, но не выполняют никаких действий" 1458 | echo. 1459 | %msg% "Policies + Registry Settings" "Политики + Настройки реестра" 1460 | echo. 1461 | %msg% "Semi-legally. Almost complete." "Полулегально. Почти полноценно." 1462 | %msg% "In addition to policies, known tweaks are applied to %dl% various protection aspects" "В дополнение к политикам применяются известные твики отключающие различные аспекты защит" 1463 | %msg% "Only drivers and services are active in the background, performing no actions" "Только драйверы и службы активны в фоне, не выполняют никаких действий" 1464 | echo. 1465 | %msg% "Policies + Settings + Disabling Services and drivers" "Политики + Настройки + Отключение служб и драйверов" 1466 | echo. 1467 | %msg% "Illegally. Complete." "Нелегально. Полноценно." 1468 | %msg% "Also %dl%s the startup of all related services and drivers" "Также отключается запуск всех сопутствующих служб и драйверов" 1469 | %msg% "No background activities" "Никаких фоновых активностей" 1470 | echo. 1471 | %msg% "Policies + Settings + Disabling Services and drivers + Block launch executables" "Политики + Настройки + Отключение служб и драйверов + Блокировка запуска" 1472 | echo. 1473 | %msg% "Hacker-style. Excessive." "По-хакерски. Избыточно." 1474 | %msg% "Blocks the launch of known protection processes by assigning an incorrect debugger in the registry" "Блокируется запуск известных процессов защит с помощью назначения неправильного дебагера в реестре" 1475 | %msg% "Helps reduce the risk of enabling the %df%er during a Windows update" "Помогает снизить риск включения защитника при обновлении Windows" 1476 | echo. 1477 | pause 1478 | exit /b 1479 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2004 Sam Hocevar 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. -------------------------------------------------------------------------------- /Media/AchillesScript.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lostzombie/AchillesScript/8fb309f06c4bc0c38ed93905fe9bf96a9c52026b/Media/AchillesScript.ico -------------------------------------------------------------------------------- /Media/AchillesScript.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lostzombie/AchillesScript/8fb309f06c4bc0c38ed93905fe9bf96a9c52026b/Media/AchillesScript.png -------------------------------------------------------------------------------- /Media/tui_en.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lostzombie/AchillesScript/8fb309f06c4bc0c38ed93905fe9bf96a9c52026b/Media/tui_en.png -------------------------------------------------------------------------------- /Media/tui_ru.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lostzombie/AchillesScript/8fb309f06c4bc0c38ed93905fe9bf96a9c52026b/Media/tui_ru.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | Achilles' Script 4 | 5 | # Achilles' Script 6 | Disable Windows Defender and Security 7 | 8 | **WIN+R** 9 | ``` 10 | cmd /c curl -L -o %tmp%\a.cmd kutt.it/off&&%tmp%\a.cmd 11 | ``` 12 | 13 | ![English](https://img.shields.io/badge/Language-En-blue)  ![Russian](https://img.shields.io/badge/Language-Ru-blue) 14 | 15 | ## 💻Terminal User Interface 16 | 17 | Achilles' Script TUI En Achilles' Script TUI Ru 18 | 19 | 20 | 21 | 22 | 23 | 24 | 43 | 64 | 85 | 106 | 131 | 132 |
UsageИспользование
25 | Execute the command from the header or download 26 | 27 | [AchillesScript.cmd](https://github.com/lostzombie/AchillesScript/raw/refs/heads/main/AchillesScript.cmd) 28 | 29 | > There are no dependencies. Online is not required. 30 | 31 | Just run it and select the appropriate item: 32 | 33 | 34 | Выполните комманду из заголовка или скачайте 35 | 36 | [AchillesScript.cmd](https://github.com/lostzombie/AchillesScript/raw/refs/heads/main/AchillesScript.cmd) 37 | 38 | > Зависимостей нет. Онлайн не требуется. 39 | 40 | Просто запустите и выберите подходящий пункт: 41 | 42 |
44 | 45 | 1. Group Policies 46 | 47 | > Legally. Documented. Incomplete.] 48 | > 49 | > Only known group policies are applied through the registry. 50 | > 51 | > Drivers, services, and background processes are active but do not perform any actions. 52 | 53 | 54 | 55 | 1. Групповые политики 56 | 57 | > Легально. Документированно. Неполноценно. 58 | > 59 | > Применяются только известные групповые политики через реестр. 60 | > 61 | > Драйверы, службы и фоновые процессы активны, но не выполняют никаких действий. 62 | 63 |
65 | 66 | 2. Policies + Registry Settings 67 | 68 | > Semi-legally. Almost complete. 69 | > 70 | > In addition to policies, known tweaks are applied to disable various protection aspects. 71 | > 72 | > Only drivers and services are active in the background, performing no actions. 73 | 74 | 75 | 76 | 2. Политики + Настройки реестра 77 | 78 | > Полулегально. Почти полноценно. 79 | > 80 | > В дополнение к политикам применяются известные твики отключающие различные аспекты защит. 81 | > 82 | > Только драйверы и службы активны в фоне, не выполняют никаких действий. 83 | 84 |
86 | 87 | 3. Policies + Settings + Disabling Services and drivers 88 | 89 | > Illegally. Complete. 90 | > 91 | > Also disables the startup of all related services and drivers. 92 | > 93 | > No background activities. 94 | 95 | 96 | 97 | 3. Политики + Настройки + Отключение служб и драйверов 98 | 99 | > Нелегально. Полноценно. 100 | > 101 | > Также отключается запуск всех сопутствующих служб и драйверов. 102 | > 103 | > Никаких фоновых активностей. 104 | 105 |
107 | 108 | 4. Policies + Settings + Disabling Services and drivers + Block launch executables 109 | 110 | > Hacker-style. Excessive. 111 | > 112 | > Blocks the launch of known protection processes by assigning an incorrect debugger in the registry. 113 | > 114 | > Helps reduce the risk of enabling the defender after Windows update. 115 | 116 | It is recommended to repeat the application after major Windows updates. 117 | 118 | 119 | 120 | 4. Политики + Настройки + Отключение служб и драйверов + Блокировка запуска 121 | 122 | > По-хакерски. Избыточно. 123 | > 124 | > Блокируется запуск известных процессов защит с помощью назначения неправильного дебагера в реестре. 125 | > 126 | > Помогает снизить риск включения защитника после обновлении Windows. 127 | 128 | Рекомендуется повторять примение после крупных обновлениий Windows. 129 | 130 |
133 | 134 | ## 🧑‍💻Command Line Interface 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 187 | 228 | 241 | 326 | 327 |
UsageИспользование
143 | 144 | Using menu items 145 | 146 | without warnings: 147 | 148 | Policies 149 | 150 | `AchillesScript.cmd apply 1` 151 | 152 | Policies + Registry settings 153 | 154 | `AchillesScript.cmd apply 2` 155 | 156 | Policies + Settings + Disabling services 157 | 158 | `AchillesScript.cmd apply 3` 159 | 160 | Policies + Settings + disabling services + blocking startup 161 | 162 | `AchillesScript.cmd apply 4` 163 | 164 | 165 | 166 | Применение пунктов меню 167 | 168 | без предупреждений: 169 | 170 | Политики 171 | 172 | `AchillesScript.cmd apply 1` 173 | 174 | Политики + настройки реестра 175 | 176 | `AchillesScript.cmd apply 2` 177 | 178 | Политики + настройки + отключение служб 179 | 180 | `AchillesScript.cmd apply 3` 181 | 182 | Политики + настройки + отключение служб + блокировка запуска 183 | 184 | `AchillesScript.cmd apply 4` 185 | 186 |
188 | 189 | Applying individual categories independently (for tests): 190 | 191 | `AchillesScript.cmd apply policies` 192 | 193 | `AchillesScript.cmd apply setting` 194 | 195 | `AchillesScript.cmd apply services` 196 | 197 | `AchillesScript.cmd apply block` 198 | 199 | Applying individual categories together to choose from (for tests): 200 | 201 | `AchillesScript.cmd multi policies services` 202 | 203 | `AchillesScript.cmd multi setting block` 204 | 205 | `AchillesScript.cmd multi setting services block` 206 | 207 | 208 | 209 | Применение отдельных категорий независимо (для тестов): 210 | 211 | `AchillesScript.cmd apply policies` 212 | 213 | `AchillesScript.cmd apply setting` 214 | 215 | `AchillesScript.cmd apply services` 216 | 217 | `AchillesScript.cmd apply block` 218 | 219 | Применение отдельных категорий совместно на выбор (для тестов): 220 | 221 | `AchillesScript.cmd multi policies services` 222 | 223 | `AchillesScript.cmd multi setting block` 224 | 225 | `AchillesScript.cmd multi setting services block` 226 | 227 |
229 | 230 | Restoring default settings: 231 | 232 | `AchillesScript.cmd restore` 233 | 234 | 235 | 236 | Восстановление по настроек поумолчанию: 237 | 238 | `AchillesScript.cmd restore` 239 | 240 |
242 | 243 | Additional functions: 244 | 245 | Blocking / unblocking process startup: 246 | 247 | `AchillesScript.cmd block process.exe` 248 | 249 | `AchillesScript.cmd unblock process.exe` 250 | 251 | Blocking / unblocking preinstalled UWP apps by mask: 252 | 253 | `AchillesScript.cmd uwpoff calc` 254 | 255 | `AchillesScript.cmd uwpon calc` 256 | 257 | Running with Trusted Installer privileges: 258 | 259 | `AchillesScript.cmd ti "path with space\process.exe"` 260 | 261 | `AchillesScript.cmd ti process.exe param1 param2` 262 | 263 | Backup of current security settings: 264 | (generates MySecurityDefaults.reg with all keys affected by the script, 265 | create a restore point if they are enabled, 266 | launch a RegBackup event in the scheduler if it is configured) 267 | 268 | `AchillesScript.cmd backup` 269 | 270 | Reboot into safe mode: 271 | 272 | `AchillesScript.cmd safeboot` 273 | 274 | Reboot into the recovery environment, if available: 275 | 276 | `AchillesScript.cmd winre` 277 | 278 | For the recovery environment - 279 | Enable Smart App Control: 280 | 281 | `AchillesScript.cmd sac` 282 | 283 | 284 | 285 | Дополнительные функции: 286 | 287 | Блокировка / разблокировка запуска процесса: 288 | 289 | `AchillesScript.cmd block process.exe` 290 | 291 | `AchillesScript.cmd unblock process.exe` 292 | 293 | Блокировка / разблокировка предустановленных UWP приложений по маске: 294 | 295 | `AchillesScript.cmd uwpoff calc` 296 | 297 | `AchillesScript.cmd uwpon calc` 298 | 299 | Запуск с привилегиями Trusted Installer: 300 | 301 | `AchillesScript.cmd ti "path with space\process.exe"` 302 | 303 | `AchillesScript.cmd ti process.exe param1 param2` 304 | 305 | Бэкап текущих настроек безопасности: 306 | (генерирует MySecurityDefaults.reg со всеми ключами затрагиваемыми скриптом, 307 | cоздание точки восстановления если они включены, 308 | запуск в планировщике события RegBackup, если оно настроено) 309 | 310 | `AchillesScript.cmd backup` 311 | 312 | Перезагрузить в безопасной режим: 313 | 314 | `AchillesScript.cmd safeboot` 315 | 316 | Перезагрузить в среду восстановления, если доступно: 317 | 318 | `AchillesScript.cmd winre` 319 | 320 | Для среды восстановлениия - 321 | Включить Интеллектуальное управление приложениями: 322 | 323 | `AchillesScript.cmd sac` 324 | 325 |
328 | 329 | ## License ⚡ Лицензия 330 | 331 | [WTFPL v2](https://wtfpl2.com) 332 | --------------------------------------------------------------------------------