diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index a1092dc5..da8dd218 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -2281,7 +2281,7 @@ actions: valueName: DisableResetbase dataType: REG_DWORD data: '0' - dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (โ‰ฅ 21H1) | Missing on Windows 11 Pro 21H1 | `1` on Windows 11 Pro (โ‰ฅ 22H2) + dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (โ‰ฅ 21H1) | ๐Ÿ” Missing on Windows 11 Pro 21H1 | `1` on Windows 11 Pro (โ‰ฅ 22H2) - name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. @@ -10679,7 +10679,7 @@ actions: valueName: AutofillAddressEnabled # Edge โ‰ฅ 77 dwordData: '0' - - name: Disable Edge experimentation and remote configurations + name: Disable Edge experimentation and remote configuration recommend: standard docs: |- # refactor-with-variables: โ€ข Chromium Policy Caution This script disables the Experimentation and Configuration Service in Microsoft Edge, effectively stopping @@ -14918,23 +14918,26 @@ actions: Privacy concerns include: - Sending personal data to Microsoft for analysis [1] [2] [9]. - This allows Microsoft to collect and potentially access your sensitive information. + This allows Microsoft to collect and potentially access your sensitive information. - Flagging attempts to block Microsoft's telemetry (data collection) as security threats [3] [10]. - This prevents users from controlling what data Microsoft collects about them. + This prevents users from controlling what data Microsoft collects about them. - Incorrectly identifying privacy-enhancing scripts from privacy.sexy as malicious software [4]. - This discourages users from using tools designed to protect their privacy. + This discourages users from using tools designed to protect their privacy. + - Defender itself may introduce vulnerabilities [11] [12]. + This can potentially allow attackers to exploit Defender's own features or implementation flaws. + Despite being a security product, it increases your system's attack surface. Turning off Defender also improves your computer's speed by freeing up system resources [5]. However, disabling these features may result in: - - Potential program malfunctions [11], as these security features are integral to Windows [6]. + - Potential program malfunctions [13], as these security features are integral to Windows [6]. - Lowered defenses against malware and other online threats. - These scripts are primarily designed to disable Defender features that come built into Windows. - They may also affect additional Defender products not included in the default Windows installation. - However, some Defender services available with Microsoft 365 subscriptions may remain unaffected - by these scripts [7] [8]. + These scripts mainly target the built-in Defender features. + Most Defender services that come with Microsoft 365 subscriptions remain largely unaffected [7] [8]. + However, the scripts may impact additional Defender products not included in the standard Windows + installation, such as Defender for Endpoint. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. @@ -14950,7 +14953,9 @@ actions: [8]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" [9]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement โ€“ Microsoft privacy | privacy.microsoft.com" [10]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" - [11]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [11]: https://web.archive.org/web/20240830100517/https://skanthak.hier-im-netz.de/offender.html "Vulnerabilities Introduced by Windows Defender | skanthak.hier-im-netz.de" + [12]: https://web.archive.org/web/20240830101341/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-9767/Microsoft-Windows-Defender.html "Microsoft Windows Defender : Security vulnerabilities, CVEs | www.cvedetails.com" + [13]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" children: - category: Disable Defender data collection @@ -15850,7 +15855,7 @@ actions: valueName: "TamperProtectionSource" dataType: REG_DWORD data: "2" - dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0` on Windows 11 Pro (โ‰ฅ 23H2) + dataOnRevert: "5" # Default value: ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0` on Windows 11 Pro (โ‰ฅ 23H2) elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โœ… Windows 10 Pro (>= 20H2) | โŒ Windows 11 Pro (>= 23H2) - name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 @@ -16954,6 +16959,479 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable Antimalware Scan Interface (AMSI) + docs: |- + This category contains scripts that disable various components of + the Antimalware Scan Interface (AMSI) in Windows. + + AMSI is a standard interface that allows applications and services to + integrate with antimalware products on Windows systems [1] [2] [3] [4] [5]. + It functions as an interception engine, enabling software to work with Defender + and other antivirus solutions to detect potentially malicious scripts and content [1] [2] [3] [5]. + + Key features of AMSI include: + + - Scanning scripts and macros for malicious content before execution [1] [2] [3] [5] + - Providing an additional layer of security against script-based attacks [1] [2] [3] [5] + - Allowing different antivirus vendors to conduct scanning operations [1] [3] [4] [5] + + Disabling AMSI components may enhance privacy by: + + - Reducing the amount of data collected and analyzed by antimalware services + [1] [3] [5] + - Limiting the sharing of potentially sensitive information with security + providers [1] [2] [3] [4] [5] + + It may also improve system performance by: + + - Reducing script scanning overhead [5] + - Decreasing background scanning activities + + However, disabling AMSI carries significant security risks: + + - Reduced protection against malicious scripts, including PowerShell commands and + Microsoft Office macros [1] [2] [3] [5] + - Weakened ability to detect and prevent malware, especially obfuscated threats [2] [3] [5] + - Increased vulnerability to script-based attacks and potentially harmful software gaining + control over the system + + > **Caution:** + > Disabling AMSI components may significantly reduce your system's security. + > It weakens defenses against malware and script-based threats, potentially exposing your system + > to various security risks. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" + [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" + [4]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" + [5]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + children: + - + name: Disable Defender AMSI provider + docs: |- + This script disables the Microsoft Defender Antimalware Scan Interface (AMSI) provider, + which is a component of Defender. + + The AMSI provider is part of the **Antimalware Scan Interface (AMSI)** [1] [2]. + AMSI adds security against malicious scripts in Windows [2]. + It allows different antivirus vendors to conduct scanning operations for script-based attacks [2]. + AMSI provides interface to integrate antimalware modules [1] [3]. + By default, Defender uses AMSI to block potentially harmful PowerShell scripts, JavaScript, and + VBA macros [2] + + The main file for the AMSI provider is `MpOav.dll` [1] [3] [4] [5]. + This file: + - Collects Defender's health data and logs [6] + - Decides about content from applications [3] + - May inject itself into other processes [6] + - Scans system memory [3] + + Disabling the AMSI provider may improve your privacy by reducing the amount of data + collected and analyzed by Defender. + It may also improve system performance by reducing script scanning overhead. + + > **Caution:** This script may reduce your security by disabling a protection mechanism against malicious scripts. + + ### Technical Details + + This script deletes: + + - COM objects: + - `MpOav.dll` COM class (CLSID: `{2781761E-28E0-4109-99FE-B9D127C57AFE}`) [3] [4] [7] [8] + - Outdated `MpOav.dll` COM class (CLSID: `2781761E-28E1-4109-99FE-B9D127C57AFE`) [5] + - AMSI provider registration at `HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [2] [3] [4] + - `MpOav.dll` File: + - Current location: `%PROGRAMFILES%\Windows Defender\MpOav.dll` [4]. + According to tests, this file exists on Windows 10 (โ‰ฅ 22H2) and Windows 11 (โ‰ฅ 23H2). + - Previous locations (no longer used in modern Windows versions and not targeted by this script): + - `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MpOav.dll` [1] [3] [9] + - `%PROGRAMFILES%\Microsoft Security Client\MpOAv.dll` [5] + - Internet Explorer Related Entries: + - Current registration: `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE}` [8] [10] + - Legacy associations: + - `HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [5] + - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE}` [5] + + [1]: https://web.archive.org/web/20240828115433/https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371 "More about AMSI integration with Exchange Server - Microsoft Community Hub | techcommunity.microsoft.com" + [2]: https://web.archive.org/web/20240828115459/https://pentestlaboratories.com/2021/06/01/threat-hunting-amsi-bypasses/ "Threat Hunting AMSI Bypasses | Pentest Laboratories" + [3]: https://web.archive.org/web/20240828115324/https://redcanary.com/blog/threat-detection/better-know-a-data-source/amsi/ "Better know a data source: Antimalware Scan Interface | redcanary.com" + [4]: https://web.archive.org/web/20240828115241/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E0-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E0-4109-99FE-B9D127C57AFE | Windows Defender IOfficeAntiVirus implementation | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240831103818/https://serverfault.com/questions/643718/acrobat-reader-xi-addon-gets-disabled-periodically-in-internet-explorer-within-w/666205#666205 "Acrobat Reader XI addon gets disabled periodically in Internet Explorer within Windows domain - Server Fault | serverfault.com" + [6]: https://web.archive.org/web/20240828115306/https://dexpacks.lakesidesoftware.com/articles/troubleshooting/Defender-s-MpOav-dll-Injects-Itself-into-SysTrack-Processes-1632490263859 "Defender's MpOav.dll Injects Itself into SysTrack Processes | Lakeside Software Customer Gateway | Lakeside Software, LLC | dexpacks.lakesidesoftware.com" + [7]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [8]: https://web.archive.org/web/20240830100517/https://skanthak.hier-im-netz.de/offender.html "Vulnerabilities Introduced by Windows Defender | skanthak.hier-im-netz.de" + [9]: https://web.archive.org/web/20240828115310/https://www.file.net/process/mpoav.dll.html "MpOav.dll Windows process - What is it? | www.file.net" + [10]: https://web.archive.org/web/20240830100359/https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/dn301826(v=vs.85) "IExtensionValidation interface (Windows) | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E0-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpOav.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E1-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{2781761E-28E1-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2781761E-28E1-4109-99FE-B9D127C57AFE} + - + name: Disable Defender UAC AMSI provider + docs: |- + This script disables the Defender UAC (User Account Control) AMSI (Antimalware Scan Interface) provider. + + The UAC AMSI provider allows Defender to scan and analyze UAC elevation requests for potential security + threats [1]. + UAC manages the elevation of privileges for executables, COM objects, MSI packages, + and ActiveX installations [1]. + UAC elevation on Windows is a security feature that asks for permission before allowing + changes that could affect the system's operation. + + Disabling this provider may enhance privacy by reducing the amount of data scanned and analyzed + during UAC elevation requests. + It may also improve system performance by removing this security check. + However, disabling this component may reduce your system's ability to detect and prevent malware exploiting UAC elevation. + + > **Caution:** + > This script may reduce your computer's security by disabling a feature that helps prevent + > harmful software from gaining more control over your system. + + ### Technical Details + + This script targets the **Windows Defender IAmsiUacProvider** implementation [2], + This provider integrates with the `WinDefend` service [3] [4] [5]. + The `WinDefend` service runs `MpSvc.dll` [6], which utilizes this component as a UAC provider [4]. + + The script removes the application COM registration for CLSID and AppID + `2781761E-28E2-4109-99FE-B9D127C57AFE` [2] [3] [7] by deleting the following registry keys: + + - `HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7] + - `HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + - `HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [5] [7] + - `HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [7] + + It also removes the UacProviders registration under: + `HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE}` [4] [7]. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240829090059/https://strontic.github.io/xcyclopedia/library/clsid_2781761E-28E2-4109-99FE-B9D127C57AFE.html "CLSID 2781761E-28E2-4109-99FE-B9D127C57AFE | Windows Defender IAmsiUacProvider implementation | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240829090053/https://github.com/privacysexy-forks/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/README.md "juicy-potato/CLSID/Windows_10_Enterprise/README.md at master ยท privacysexy-forks/juicy-potato | github.com" + [4]: https://web.archive.org/web/20240917095611/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L9020 "10_0_22622_601/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [5]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240829090503/https://www.shouldiblockit.com/mpsvc.dll-cf318f60a84f15af352439465a8d05f4.aspx "MpSvc.dll - Should I Block It? (MD5 cf318f60a84f15af352439465a8d05f4) | www.shouldiblockit.com" + [7]: https://web.archive.org/web/20240829090236/https://www.bleepingcomputer.com/forums/t/655746/windows-10-has-been-infected-and-i-need-help-please/ "Windows 10 has been infected and i need help, please! - Am I infected? What do I do? | www.bleepingcomputer.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\AMSI\UacProviders\{2781761E-28E2-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\CLSID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\AppID\{2781761E-28E2-4109-99FE-B9D127C57AFE} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Antimalware Scan Interface (AMSI) for current user + docs: |- + This script disables the Antimalware Scan Interface (AMSI) for the current user, preventing + the integration of applications and services with antimalware products. + + AMSI is a standard interface that integrates applications and services with antimalware products + on Windows machines [1]. + It helps detect potentially malicious scripts, such as harmful PowerShell commands or Microsoft + Office macros, even if they are obfuscated [2]. + + When AMSI is enabled, antivirus programs can scan scripts before they run [2]. + If a known malicious pattern is detected, the script may be blocked [2]. + + Disabling AMSI may enhance privacy by limiting data shared with antimalware services. + It may also boost system performance by reducing background scanning activities. + + However, disabling AMSI poses significant security risks: + + 1. Reduced protection from script-based attacks + 2. Weakened detection of malicious macros + 3. Increased vulnerability to obfuscated malware + + > **Caution:** + > Disabling AMSI weakens your defense against malware and script-based threats. + + ### Technical Details + + This script modifies the Windows Registry by setting the `AmsiEnable` value to `0` + under the `HKCU\Software\Microsoft\Windows Script\Settings` key [2] [3] [4]. + + [1]: https://web.archive.org/web/20240828134320/https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal "Antimalware Scan Interface (AMSI) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240828134325/https://blog.f-secure.com/hunting-for-amsi-bypasses/ "Hunting for AMSI bypasses - F-Secure Blog | blog.f-secure.com" + [3]: https://web.archive.org/web/20240828134331/https://redcanary.com/threat-detection-report/techniques/modify-registry// "Modify Registry - Red Canary Threat Detection Report | redcanary.com" + [4]: https://web.archive.org/web/20240828134538/https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/ "Macros and More with SharpShooter v2.0 - MDSec | www.mdsec.co.uk" + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows Script\Settings + valueName: AmsiEnable + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable Defender remote management + docs: |- + This category contains scripts to disable remote management capabilities of Defender + + Remote management allows administrators or management systems to control Defender settings and receive information remotely. + This includes applying configurations, running scans, and collecting device security data. + + Disabling remote management enhances your privacy by: + + - Preventing remote access to your Defender settings and data. + - Reducing the amount of information shared with management systems. + - Giving you more control over your local security settings. + + It also increases your security by: + + - Reducing potential attack surface for remote exploits. + - Preventing unauthorized changes to your Defender settings. + + It can also boost system performance by removing associated components. + + However, disabling remote management can interfere with organizational settings and potentially reduce security by: + + - Preventing automatic application of security policies. + - Limiting the ability of IT administrators to manage and monitor security across devices. + - Potentially missing important security updates or configurations. + + > **Caution**: + > Disabling Defender remote management may violate organizational policies and impair the IT department's + > ability to protect and manage your device. + children: + - + name: Disable Defender remote configuration + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables Windows Defender's ability to receive remote configurations. + + Windows Defender Management uses this feature to remotely control Defender's behavior [1]. + It uses a Configuration Service Provider (CSP) as an interface between the device's settings and + specified configurations [2]. + CSPs, like Group Policy client-side extensions, enable reading, setting, modifying, or deleting + settings for specific features [2]. + Mobile device management (MDM) service providers commonly use these CSPs [2]. + + Disabling this feature enhances privacy and user control by blocking remote modifications to your + Defender settings. + This action may also improve system performance by reducing background processes related to + checking and applying remote configurations. + + However, this action may reduce security by: + + - Preventing potentially important security updates from being applied automatically. + - Limiting the ability of IT administrators to manage Defender settings across devices. + + > **Caution:** + > Disabling this feature may make your computer less secure and reduce the ability of management + > systems to adjust security settings automatically. + + ### Technical Details + + The script targets the COM registration for the CLSID `195B4D07-3DE2-4744-BBF2-D90121AE785B` [1] [3]. + This application registers the `DefenderCSP.dll` library [1] [3]. + This component is used by the Defender service (`MpSvc`) [4]. + The DLL file is located in the `%PROGRAMFILES%\Windows Defender` folder [1] [3]. + + This script performs a soft deletion of: + + - The COM registration for the CLSID (`195B4D07-3DE2-4744-BBF2-D90121AE785B`) [1] [3]. + - The `DefenderCSP.dll` file. + + For more information on related configurations and the full range of settings affected, see the official + Microsoft documentation on the Defender CSP [5]. + + [1]: https://web.archive.org/web/20240917101148/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest#L14-L29 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-mdm_31bf3856ad364e35_10.0.22621.1_none_a3f646ff3d52d348.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท colorsci/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240829084136/https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers "Configuration service providers for IT pros | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829084308/https://strontic.github.io/xcyclopedia/library/clsid_195B4D07-3DE2-4744-BBF2-D90121AE785B.html "CLSID 195B4D07-3DE2-4744-BBF2-D90121AE785B | Defender CSP | STRONTIC | strontic.github.io" + [4]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings#L6494 "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpSvc.dll.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d ยท privacysexy-forks/10_0_22000_1165 | github.com" + [5]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{195B4D07-3DE2-4744-BBF2-D90121AE785B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\DefenderCSP.dll' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender remote commands + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables Defender's remote management capabilities. + + The script specifically targets a component known as the **Microsoft Security Client Antimalware Provider** [1]. + + This component allows PowerShell to manage Defender remotely, often through + **System Center Endpoint Protection (SCEP)** [2] [3] [4]. + + Disabling this component enhances your privacy by preventing remote access to your Defender settings and data. + It may also enhance system performance by reducing background processes associated with remote management. + However, it may decrease security in managed environments by limiting remote management of your system's security settings. + + > **Caution:** This action may reduce security on work or school computers and other managed devices. + + ### Technical Details + + The script disables these components: + + - The `MpProvider.dll` file located at `%PROGRAMFILES%\Windows Defender\MpProvider.dll` [5]. + - **InfectionState WMI Provider** COM object with CLSID `361290c0-cb1b-49ae-9f3e-ba1cbe5dab35` [5] [6]. + - **Status WMI Provider** COM object with CLSID `8a696d12-576b-422e-9712-01b9dd84b446` [5] [7]. + - **AMMonitoring WMI Provider** COM object with CLSID `DACA056E-216A-4FD1-84A6-C306A017ECEC` [5] [8]. + + These components are part of the Windows Defender Management package [5]. + + [1]: https://web.archive.org/web/20240829150549/https://systemexplorer.net/file-database/file/mpprovider-dll "What is mpprovider.dll ? | System Explorer | systemexplorer.net" + [2]: https://web.archive.org/web/20240829150629/https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical "Assessment checks for endpoint detection and response - Microsoft Defender for Cloud | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240829150639/https://www.verboon.info/2014/04/managing-windows-defender-system-center-endpoint-security-with-powershell/ "Managing Windows Defender / System Center Endpoint Security with PowerShell โ€“ Anything about IT | www.verboon.info" + [4]: https://web.archive.org/web/20240829150603/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-protection-client-faq "Endpoint Protection client frequently asked questions - Configuration Manager | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240829150445/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest#L96-L104 "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-v1_31bf3856ad364e35_10.0.22621.1_none_7c3b5e29fc07cee1.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240829150513/https://strontic.github.io/xcyclopedia/library/clsid_361290c0-cb1b-49ae-9f3e-ba1cbe5dab35.html "CLSID 361290c0-cb1b-49ae-9f3e-ba1cbe5dab35 | InfectionState WMI Provider | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240829180050/https://strontic.github.io/xcyclopedia/library/clsid_8a696d12-576b-422e-9712-01b9dd84b446.html "CLSID 8a696d12-576b-422e-9712-01b9dd84b446 | Status WMI Provider | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240829180219/https://strontic.github.io/xcyclopedia/library/clsid_DACA056E-216A-4FD1-84A6-C306A017ECEC.html "CLSID DACA056E-216A-4FD1-84A6-C306A017ECEC | AMMonitoring WMI Provider | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{361290c0-cb1b-49ae-9f3e-ba1cbe5dab35} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8a696d12-576b-422e-9712-01b9dd84b446} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DACA056E-216A-4FD1-84A6-C306A017ECEC} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpProvider.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender WMI management + recommend: null # Impacts local management + docs: |- + This script disables Defender's ability to be managed through Windows Management Instrumentation (WMI). + + WMI enables the management and automation of tasks on Windows computers [1]. + WMI is primarily used for remote management and monitoring but it can also operate locally [1]. + + Disabling Defender's WMI management enhances privacy by preventing unauthorized remote modifications + to Defender settings. + It may also improve system performance by reducing background processes related to WMI management. + + However, this change comes with trade-offs: + + - It may disrupt local management scripts on your computer [1]. + - It can impact computers managed by enterprise software such as **System Center Operations Manager** + or **Windows Remote Management** [1]. + - It may reduce security by limiting the ability to manage Defender remotely in enterprise environments. + + > **Caution:** + > This script may interfere with system management tools and potentially reduce security in enterprise environments. + + ### Technical Details + + This script removes specific components of the `Windows-Defender-Management-Onecore` package [2]: + + - File `%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll` [2] [3] + - COM class **Windows Defender WMI Provider** (CLSID: `A7C452EF-8E9F-42EB-9F2B-245613CA0DC9`) [2] [3] + + [1]: https://web.archive.org/web/20240830103531/https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page "Windows Management Instrumentation - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830103651/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-management-onecore_31bf3856ad364e35_10.0.22621.1_none_35c9afe78c9d9fdd.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240830103709/https://strontic.github.io/xcyclopedia/library/clsid_A7C452EF-8E9F-42EB-9F2B-245613CA0DC9.html "CLSID A7C452EF-8E9F-42EB-9F2B-245613CA0DC9 | Windows Defender WMI Provider | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\ProtectionManagement.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable Defender updates children: @@ -17153,7 +17631,6 @@ actions: property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - - name: Minimize Defender engine updates to completed release cycles docs: @@ -17256,19 +17733,6 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - name: Disable auditing events in Defender Application Guard - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI - valueName: AuditApplicationGuard - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - category: Disable Defender scheduled tasks children: @@ -17453,7 +17917,7 @@ actions: | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | call: # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: ๐Ÿ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17482,7 +17946,7 @@ actions: | Windows 11 (โ‰ฅ 23H2) | ๐ŸŸข Running | Boot | call: # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: ๐Ÿ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17510,7 +17974,7 @@ actions: | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Boot | call: # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: ๐Ÿ” Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - # Windows 10 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` @@ -17619,6 +18083,70 @@ actions: elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - function: ShowComputerRestartSuggestion + - + name: Disable Defender Antivirus shared service components + docs: |- + This script disables Microsoft Defender Antivirus shared service components. + + This script may enhance privacy by reducing the system's monitoring and data collection capabilities. + It may also improve system performance by reducing background processes and resource usage. + + However, disabling these components may significantly reduce system security. + Without these components, the system becomes more vulnerable to malware, viruses, and other cyber threats. + + > **Caution:** This action disables your antivirus protection, exposing your computer to viruses and other cyber threats. + + ### Technical Details + + The script disables the following components: + + - Microsoft Windows Defender COM application with CLSID `A2D75874-6750-4931-94C1-C99D3BC9D0C7` [1] [2] + and AppID `A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F` [1] [2]. + It is component of Defender Antivirus (`WinDefend`) [2] [3]. + Its file is at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [1] [2]. + It also uses `MsMpCom.dll` for in-process COM servers [1] [2]. + - Microsoft Windows Defender COM Utility Type Library (`8C389764-F036-48F2-9AE2-88C260DCF43B`) [2] + - DLL `MpAsDesc.dll` located at `%PROGRAMFILES%\Windows Defender\MpAsDesc.dll` [1] + Defender services like `WdNisDrv`, `WdBoot`, `WinDefend`, `WdNisSvc` all depends on this file [4]. + - DLL `MsMpCom.dll` located at `%PROGRAMFILES%\Windows Defender\MsMpCom.dll` [1] [2] + + [1]: https://web.archive.org/web/20240829212450/https://strontic.github.io/xcyclopedia/library/clsid_A2D75874-6750-4931-94C1-C99D3BC9D0C7.html "CLSID A2D75874-6750-4931-94C1-C99D3BC9D0C7 | Microsoft Windows Defender | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240829205326/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240829212436/https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints#known-issues-and-limitations-in-the-new-unified-solution-package-for-windows-server-2016-and-windows-server-2012-r2 "Onboard Windows servers to the Microsoft Defender for Endpoint service - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240829212123/https://github.com/privacysexy-forks/SchoolNotes/blob/af823cecc159021e1a54fb5ca15d54ce35734ee9/ifs4102/Assignments/Assignment-2/a2system.txt "SchoolNotes/ifs4102/Assignments/Assignment-2/a2system.txt at af823cecc159021e1a54fb5ca15d54ce35734ee9 ยท privacysexy-forks/SchoolNotes | github.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{A79DB36D-6218-48e6-9EC9-DCBA9A39BF0F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{8C389764-F036-48F2-9AE2-88C260DCF43B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles # โŒ TrustedInstaller is not enough; requires safe mode or disabled protection + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpAsDesc.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpCom.dll' + # grantPermissions: false # โŒ Cannot grant permissions since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 22H2) + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable Defender Firewall docs: |- @@ -18031,6 +18559,59 @@ actions: parameters: fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + name: Disable Defender for Endpoint remote configuration + recommend: strict # No clear security benefits, potential risks for personal use + docs: |- + This script disables remote configuration for Microsoft Defender for Endpoint, enhancing privacy + and local control over your device's security settings. + + Microsoft Defender for Endpoint is a security suite designed to protect devices from cyber threats [1]. + Some components are included by default on Windows without requiring user opt-in [2] [3]. + Remote configuration allows administrators to manage and update settings across multiple devices. + This feature is typically used in work or school environments where centralized control of multiple devices + is necessary. + + Disabling this feature enhances privacy by preventing remote changes to your Defender for Endpoint settings. + It may also improve system performance by reducing background processes related to remote management. + + However, disabling this feature may: + + - Prevent automatic security updates from being applied. + - Limit the ability of IT administrators to manage security settings across devices. + - Violate your organization's compliance policies if you're on a work or school computer. + + > **Caution:** + > Disabling this feature may reduce your device's security and limit automatic security adjustments. + + ### Technical Details + + This script disables the following components: + + - Windows Defender Advanced Threat Protection CSP [2] + (CLSID: `FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4` [2]) + - Windows Defender Advanced Threat Protection Manageability module [3] + (Path: `%PROGRAMFILES%\Windows Defender Advanced Threat Protection\WATPCSP.dll` [2] [3]) + + For detailed configurations and settings, refer to Microsoft's documentation on WindowsAdvancedThreatProtection CSP [4]. + + [1]: https://web.archive.org/web/20240821073223/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint "Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831150003/https://strontic.github.io/xcyclopedia/library/clsid_FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4.html "CLSID FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4 | Windows Defender Advanced Threat Protection CSP | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240831150016/https://strontic.github.io/xcyclopedia/library/WATPCSP.dll-44CC07FE949C00E92571169E2413F4CC.html "WATPCSP.dll | Windows Defender Advanced Threat Protection Manageability module | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240831150703/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsadvancedthreatprotection-csp "WindowsAdvancedThreatProtection CSP | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{FEEE9C23-C4E2-4A34-8C73-FE8F9786C8B4} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\WATPCSP.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable SmartScreen docs: |- # refactor-with-variables: โ€ข SmartScreen Caution @@ -18821,27 +19402,28 @@ actions: - name: Disable outdated Internet Explorer SmartScreen Filter component docs: |- # refactor-with-variables: โ€ข SmartScreen Caution - This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + This script disables the outdated Internet Explorer SmartScreen filter (`ieapfltr.dll`). - The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. - It is mainly used by Internet Explorer [2]. + The `ieapfltr.dll` file is also known as **Microsoft SmartScreen Filter** [1] + or **Anti-phishing browser solution** [2]. + It is mainly used by Internet Explorer [3]. - Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], + Despite the official end of support for Internet Explorer 11 on June 15, 2022 [4], some systems may still have this component. Benefits: - **Privacy improvement**: - By disabling the SmartScreen functionality that monitors user behavior, + By disabling the SmartScreen functionality that monitors user behavior, this script enhances your privacy. - **Security enhancement**: It reduces the attack surface by removing unused components, aligning with security best practices. - **System performance**: It may improve system performance by removing unnecessary components. - + Trade-offs: - + - **Reduced security**: The absence of SmartScreen may decrease protection against malware and phishing. - **Browser Functionality**: @@ -18853,30 +19435,62 @@ actions: Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend on it, even if Internet Explorer is not actively used. + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + ### Technical Details + File locations: | File path | Windows 11 (23H2) | Windows 10 (22H2) | |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\ieapfltr.dll` [4] | โŒ Missing | โŒ Missing | + | `%WINDIR%\System32\ieapfltr.dll` [5] | โŒ Missing | โŒ Missing | | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | โœ… Yes | โœ… Exists | - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + This component is associated with following CLSIDs: + + - `3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30` [5] + - `E48B2549-D510-4A76-8A5F-FC126A6215F0` [2] [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" - [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240828080343/https://strontic.github.io/xcyclopedia/library/clsid_E48B2549-D510-4A76-8A5F-FC126A6215F0.html "CLSID E48B2549-D510-4A76-8A5F-FC126A6215F0 | CLSID_AntiPhishingBrowserSolution | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" call: - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\ieapfltr.dll' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + grantPermissions: 'true' # ๐Ÿ”’๏ธ Likely protected as other files in `%WINDIR%\System32`, not tested due to lack of this file on modern Windows - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - category: Disable SmartScreen system components docs: |- @@ -18908,31 +19522,30 @@ actions: - name: Disable SmartScreen process docs: |- # refactor-with-variables: โ€ข SmartScreen Caution - This script stops and prevents the `smartscreen.exe` from running. + This script stops the `smartscreen.exe` process and prevents it from running. This process is officially known as *Windows Defender SmartScreen* [1] [2]. It manages the SmartScreen functionality [3] [4]. - Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. - - Disabling SmartScreen improves your privacy because it stops outbound network connections - that transmit your data [5]. - This process runs in the background even when SmartScreen is disabled [3]. + Disabling SmartScreen enhances privacy by preventing outbound network connections that transmit your data [5]. + Even when disabled, SmartScreen continues running in the background [3]. It also improves system performance by reducing CPU usage [6]. - However, disabling SmartScreen process can compromise your security by disabling its protective features. + However, disabling the SmartScreen process may compromise your security by removing its protective features. Additionally, if SmartScreen remains partially enabled after the process is disabled, - it may impair the functionality of Microsoft Store apps [3] [5]. + it may impair the functionality of Microsoft Store apps [3] [5] [7]. - This script will: + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. - - **Terminate the process**: - Stops the `smartscreen.exe` process to prevent it from running. - - **Remove the executable**: - Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + ### Technical Details - > **Caution**: - > - Disabling SmartScreen may reduce your protection against phishing and malware. - > - Disabling this process may prevent Microsoft Store apps from loading. + The executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + + This script will: + + - **Terminate the process**: + Stops the `smartscreen.exe` process to prevent it from running. + - **Remove the executable**: + Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" @@ -18940,6 +19553,7 @@ actions: [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + [7]: https://web.archive.org/web/20240829095739/https://github.com/undergroundwires/privacy.sexy/issues/412 "Disabling SmartScreen causes the OS to open apps very slowly (Solution) ยท Issue #412 ยท undergroundwires/privacy.sexy | github.com" call: - function: TerminateAndBlockExecution @@ -19015,6 +19629,498 @@ actions: parameters: fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + name: Disable SmartScreen integrations + docs: |- + This script disables COM SmartScreen integrations within Windows. + + **SmartScreen** is a security feature that aims to protect your device from harmful applications, + files, and websites by comparing items with a database of known threats [1]. + + **COM (Component Object Model)** objects are software components that let different programs communicate [2]. + These integrations allow SmartScreen to interact with various Windows components [2] [3]. + Disabling these components disrupts SmartScreen's functionality. + + This script improves privacy by: + + - Reducing data collection related to SmartScreen operations + - Limiting the system's ability to scan and report on your activities + + Disabling SmartScreen may improve system performance by: + + - Removing background processes associated with SmartScreen + - Potentially speeding up application launches, especially if SmartScreen is partially disabled [4] + + If other SmartScreen components are already disabled, this script may help maintain system integrity [4]. + + However, disabling these integrations may reduce security by: + + - Limiting the system's ability to detect and prevent malware or phishing attempts [1] + - Disabling protective features that scan downloaded files and warn about unsafe websites [1] + + > **Caution**: + > Disabling SmartScreen integrations may make your system more vulnerable to malware and phishing attacks. + > Consider your personal security needs before applying these changes. + + ### Technical Details + + This script disables several COM interfaces, classes, and applications associated with SmartScreen. + + Key components affected include: + + - SmartScreen event logging and reporting interfaces + - URI (Uniform Resource Identifier) and file reputation services + - Application reputation services + - SmartScreen-related Windows Runtime activatable classes + + The components disabled by this script consist of: + + | Type | Name | ID | + |------|------|------| + | Interface | `IDeferredParametersHandler` [3] | Interface ID: `741baa78-e96f-466c-9ffa-81af5ce4cd59` [3] | + | Interface | `IEventLogger` [3] | Interface ID: `a3104ea9-a816-4fdc-860c-75408a04b686` [3] | + | Interface | `IEventLoggerFactory` [3] | Interface ID: `16ae6386-0aa2-45fc-aab2-f2ee3a0f3188` [3] | + | Interface | `IHtmlContentInfo` [3] | Interface ID: `680d04e6-9661-4ac5-b962-58b112ffa5e6` [3] | + | Interface | `IButtonInfo` [3] | Interface ID: `9ad9b845-b683-493e-8d39-45a56d54617d` [3] | + | Interface | `IVectorView` [3] | Interface ID: `e9444d66-3ff9-5410-8984-f9063f825683` [3] | + | Interface | `IIterable` [3] | Interface ID: `69c26f3c-53aa-56cc-818f-4be79004cd02` [3] | + | Interface | `IIterator` [3] | Interface ID: `60f00258-24f8-5460-bb2d-853a614a50ec` [3] | + | Interface | `IPopupButtonInfo` [3] | Interface ID: `c729ad47-6f3a-46f4-af74-3b5c3311e6ed` [3] | + | Interface | `IUriReputationExperienceInfo` [3] | Interface ID: `7fdde05c-d2db-495b-b06d-4a8d84f3ab99` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `b2b6814f-02c2-5b0c-9e14-159eb77f4462` [3] | + | Interface | `IAsyncOperationCompletedHandler` [3] | Interface ID: `aad9a740-4131-5fe0-9888-c925750b8a99` [3] | + | Interface | `IUriReputationResult` [3] | Interface ID: `1d5bc3a2-a3ff-4517-bb16-25bf18ef7378` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `f84b2c99-2f3d-5877-bf78-4f40f6bd25c0` [3] | + | Interface | `IAsyncOperationCompletedHandle` [3] | Interface ID: `d164f201-3f19-588a-a21e-06c60651d335` [3] | + | Interface | `IUriReputationService` [3] | Interface ID: `a774d785-2808-4471-a254-ab93932b61ea` [3] | + | Interface | `IUriReputationServiceStatics` [3] | Interface ID: `29A3AB33-0FD7-44F5-9BFF-C0B6C081FBFB` [3] | + | Interface | `IUriReputationSettings` [3] | Interface ID: `3474d734-3408-4471-a344-a3439343634a` [3] | + | Interface | `IFileReputationResult` [3] | Interface ID: `48748dc6-576c-47c0-8169-b99cc31a68fe` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `0b3418c4-edbd-5275-a27d-c814665bd20b` [3] | + | Interface | `IAsyncOperationCompletedHandler` [3] | Interface ID: `e406ebb7-b140-562f-bcbc-40f0ef479d38` [3] | + | Interface | `IFileReputationService` [3] | Interface ID: `67e7f99b-1b65-4343-825d-eb17c9681805` [3] | + | Interface | `IAppxPackage` [3] | Interface ID: `56ed2384-8491-4fbc-8f1d-141faf905d85` [3] | + | Interface | `IIterable` [3] | Interface ID: `c4c9b336-6104-586e-b35c-9f9029afb178` [3] | + | Interface | `IIterator` [3] | Interface ID: `235e004e-c711-5d74-8895-25412ca30088` | + | Interface | `IWindow` [3] | Interface ID: `ad6db2cf-0c8d-438b-b25d-9a9a82903b2b` [3] | + | Interface | `IAppReputationService` [3] | Interface ID: `d9dc3975-1062-470a-994c-409151ff8f54` [3] | + | Interface | `IAppReputationServiceStatics` | Interface ID: `343baa78-e34f-466c-9ffa-81af5ce4cd34` [3] | + | Interface | `IAsyncOperation` [3] | Interface ID: `377f919e-1b1a-5ca1-9ac0-70f57dcf5f61` [3] | + | Interface | `IAsyncOperationCompletedHandler` [3] | Interface ID: `1b988c32-1bc7-52fa-83ba-0b97e79c878b` [3] | + | App | `SmartScreen` [5] | AppId: `a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d` [3] [5] | + | Class | `SmartScreen` [3] [5] | CLSID: `a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d` [3] [4] [5] | + | ActivatableClass | EventLogger | ActivatableClassId: `Windows.Internal.Security.SmartScreen.EventLogger` [3] | + | ActivatableClass | UriReputationService | ActivatableClassId: `Windows.Internal.Security.SmartScreen.UriReputationService` [3] | + | ActivatableClass | AppReputationService | ActivatableClassId: `Windows.Internal.Security.SmartScreen.AppReputationService` [3] | + + [1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830140350/https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model "The Component Object Model - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240912083808/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22621.1_none_1ef7981b13e07576.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.22621.1_none_1ef7981b13e07576.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240829095739/https://github.com/undergroundwires/privacy.sexy/issues/412 "Disabling SmartScreen causes the OS to open apps very slowly (Solution) ยท Issue #412 ยท undergroundwires/privacy.sexy | github.com" + [5]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{741baa78-e96f-466c-9ffa-81af5ce4cd59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{741baa78-e96f-466c-9ffa-81af5ce4cd59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{a3104ea9-a816-4fdc-860c-75408a04b686} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{a3104ea9-a816-4fdc-860c-75408a04b686} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{16ae6386-0aa2-45fc-aab2-f2ee3a0f3188} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{16ae6386-0aa2-45fc-aab2-f2ee3a0f3188} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{680d04e6-9661-4ac5-b962-58b112ffa5e6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{680d04e6-9661-4ac5-b962-58b112ffa5e6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{9ad9b845-b683-493e-8d39-45a56d54617d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{9ad9b845-b683-493e-8d39-45a56d54617d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{e9444d66-3ff9-5410-8984-f9063f825683} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{e9444d66-3ff9-5410-8984-f9063f825683} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{69c26f3c-53aa-56cc-818f-4be79004cd02} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{69c26f3c-53aa-56cc-818f-4be79004cd02} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{60f00258-24f8-5460-bb2d-853a614a50ec} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{60f00258-24f8-5460-bb2d-853a614a50ec} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{c729ad47-6f3a-46f4-af74-3b5c3311e6ed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{c729ad47-6f3a-46f4-af74-3b5c3311e6ed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{7fdde05c-d2db-495b-b06d-4a8d84f3ab99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{7fdde05c-d2db-495b-b06d-4a8d84f3ab99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{b2b6814f-02c2-5b0c-9e14-159eb77f4462} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{b2b6814f-02c2-5b0c-9e14-159eb77f4462} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{aad9a740-4131-5fe0-9888-c925750b8a99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{aad9a740-4131-5fe0-9888-c925750b8a99} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{1d5bc3a2-a3ff-4517-bb16-25bf18ef7378} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1d5bc3a2-a3ff-4517-bb16-25bf18ef7378} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{f84b2c99-2f3d-5877-bf78-4f40f6bd25c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{f84b2c99-2f3d-5877-bf78-4f40f6bd25c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{d164f201-3f19-588a-a21e-06c60651d335} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{d164f201-3f19-588a-a21e-06c60651d335} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{a774d785-2808-4471-a254-ab93932b61ea} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{a774d785-2808-4471-a254-ab93932b61ea} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{29A3AB33-0FD7-44F5-9BFF-C0B6C081FBFB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{29A3AB33-0FD7-44F5-9BFF-C0B6C081FBFB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{3474d734-3408-4471-a344-a3439343634a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{3474d734-3408-4471-a344-a3439343634a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{48748dc6-576c-47c0-8169-b99cc31a68fe} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{48748dc6-576c-47c0-8169-b99cc31a68fe} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0b3418c4-edbd-5275-a27d-c814665bd20b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0b3418c4-edbd-5275-a27d-c814665bd20b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{e406ebb7-b140-562f-bcbc-40f0ef479d38} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{e406ebb7-b140-562f-bcbc-40f0ef479d38} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{67e7f99b-1b65-4343-825d-eb17c9681805} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{67e7f99b-1b65-4343-825d-eb17c9681805} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{56ed2384-8491-4fbc-8f1d-141faf905d85} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{56ed2384-8491-4fbc-8f1d-141faf905d85} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{c4c9b336-6104-586e-b35c-9f9029afb178} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{c4c9b336-6104-586e-b35c-9f9029afb178} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{235e004e-c711-5d74-8895-25412ca30088} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{235e004e-c711-5d74-8895-25412ca30088} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{ad6db2cf-0c8d-438b-b25d-9a9a82903b2b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{ad6db2cf-0c8d-438b-b25d-9a9a82903b2b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{d9dc3975-1062-470a-994c-409151ff8f54} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{d9dc3975-1062-470a-994c-409151ff8f54} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{343baa78-e34f-466c-9ffa-81af5ce4cd34} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{343baa78-e34f-466c-9ffa-81af5ce4cd34} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{377f919e-1b1a-5ca1-9ac0-70f57dcf5f61} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{377f919e-1b1a-5ca1-9ac0-70f57dcf5f61} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{1b988c32-1bc7-52fa-83ba-0b97e79c878b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1b988c32-1bc7-52fa-83ba-0b97e79c878b} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppId\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.EventLogger + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.UriReputationService + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - name: Disable outdated SmartScreen settings interface docs: |- # refactor-with-variables: โ€ข SmartScreen Caution @@ -19122,479 +20228,2273 @@ actions: [9]: https://web.archive.org/web/20240819080607/https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr "Microsoft Defender XDR | Microsoft Security | www.microsoft.com" children: - - name: Disable "Windows Security Service" service + category: Disable Defender interface background services docs: |- - This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. - This service provides unified device protection and health information [2] [3]. + This category provides scripts to disable background services supporting Defender interface elements. + These services enable real-time updates and interactions with Defender's security features. - It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. - Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. - By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + Disabling these services may: - The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + - Reduce system resource usage + - Minimize background processes related to the Defender interface + - Limit potential data collection associated with Defender's user interface - ### Overview of default service statuses + However, this action may also: - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸข Running | Manual | - | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | + - Prevent certain security notifications from appearing + - Limit your ability to interact with Defender through its standard interface + - Reduce awareness of important security events - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" - [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" - [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states - call: - - - # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - function: DisableServiceInRegistry - parameters: - serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - elevateToTrustedInstaller: 'true' - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' - grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - - - category: Disable Defender user interface + > **Caution:** + > - Disabling these services may reduce visibility into your system's security status while + > core Defender functionalities remain intact. + > - Consider alternative methods to monitor system security and maintain good security practices. children: - - name: Remove "Windows Security" system tray icon - docs: |- - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray - valueName: HideSystray - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - name: Remove "Scan with Defender" from context menu + name: Disable "Windows Security" status reporting integrations docs: |- - This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. - Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. + This script disables the Windows Security APIs, which are used by Windows and third-party security + software to report system security status. - Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. + These APIs are known as **Windows Security APIs** [1], or **Windows Security Center APIs** [2]. + They allow security software to communicate with the Windows Security app [1]. + This app monitors the system's security status and provides alerts about potential vulnerabilities [1]. - > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. + Disabling these APIs can improve privacy by preventing the collection and reporting of security-related + system information. + It may also enhance system performance by reducing background processes. - ### Technical Details + However, disabling these APIs has significant trade-offs: + + - **Reduced security awareness:** + You won't receive alerts about potential security issues through the Windows Security app. + - **Impaired functionality of security software:** + Third-party security solutions may lose their ability to report status to Windows Security without these APIs. - The script functions by altering specific registry keys that correspond to the Defender context menu option. - It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. - The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + > **Caution:** + > Disabling these APIs may reduce your system's ability to detect and respond to security threats. - The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. - This feature is provided by `shellext.dll` file located in Defender's program files [1]. + ### Technical Details - [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" - [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + This script removes several components of the Windows Security APIs, including: + + | Type | Name | Identifier / Location | + |-----------|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------| + | DLL | Windows Security Center ISV API [3] | `%SYSTEMROOT%\SysWOW64\wscisvif.dll` [3], `%SYSTEMROOT%\system32\wscisvif.dll` [4] [5] | + | DLL | Windows Security Center API [6] | `%SYSTEMROOT%\System32\wscapi.dll` [4] [7] [8], `%SYSTEMROOT%\SysWOW64\WSCAPI.dll` [8] | + | DLL | Windows Security Center ISV Proxy Stub [4] [9] [10] | `%SYSTEMROOT%\system32\wscproxystub.dll` [4] [9] [11], `%SYSTEMROOT%\SysWOW64\wscproxystub.dll` [10] | + | CLSID | Windows Security Center ISV API [4] [5] | `F2102C37-90C3-450C-B3F6-92BE1693BDF2` [4] [5] | + | CLSID | WscToastActivationHandler [4] [7] | `D5F7E36B-5B38-445D-A50F-439B8FCBB87A` [4] [7] | + | CLSID | WSCDefaultProduct [4] [6] | `2981a36e-f22d-11e5-9ce9-5e5517507c66` [4] [6] | + | CLSID | WSCProductList [4] [12] | `17072F7B-9ABE-4A74-A261-1EB76B55107A` [4] [12] | + | CLSID | WscIsvIf Proxy Stub [4] [11] [13] | `7E66DBEF-2474-4E82-919B-9A855F4C2FE8` [4] [11] [13] | + | CLSID | PSFactoryBuffer [4] [14] | `8C38232E-3A45-4A27-92B0-1A16A975F669` [4] [14] | + | TypeLib | wscAPI 1.0 Type Library [4] | `B52A4496-7753-4F74-BE64-C2072E308122` [12] | + | Class | WSCProductList [4] | `wscAPI.WSCProductList` [4], `wscAPI.WSCProductList.1` [4] | + | Class | WSCDefaultProduct [4] | `wscAPI.WSCDefaultProduct` [4] | + | Interface | IWscProduct [4] | `8C38232E-3A45-4A27-92B0-1A16A975F669` [4] | + | Interface | IWscProduct2 [4] | `F896CA54-FE09-4403-86D4-23CB488D81D8` [4] | + | Interface | IWscProduct3 [4] | `55536524-D1D1-4726-8C7C-04996A1904E7` [4] | + | Interface | IWSCProductList [4] | `722A338C-6E8E-4E72-AC27-1417FB0C81C2` [4] | + | Interface | IWSCDefaultProduct [4] | `0476d69c-f21a-11e5-9ce9-5e5517507c66` [4] | + | Interface | IWscSecurityProductStatus [4] | `A61406C1-997B-4a4b-B622-AA7DACA6D575` [4] | + | Interface | IWscAVStatus [4] | `3901A765-AB91-4ba9-A553-5B8538DEB840` [4] | + | Interface | IWscAVStatus2 [4] | `206D9C96-ACDF-484B-833E-DEB914565E44` [4] | + | Interface | IWscAVStatus3 [4] | `CF007CA2-F5E3-11E5-9CE9-5E5517507c66` [4] | + | Interface | IWscAVStatus4 [4] | `4DCBAFAC-29BA-46B1-80FC-B8BDE3C0AE4D` [4] | + | Interface | IWscFWStatus [4] | `9B8F6C6E-8A4A-4891-AF63-1A2F50924040` [4] | + | Interface | IWscFWStatus2 [4] | `62F698CB-094A-4C68-9419-8E8C49420E59` [4] | + | Interface | IWscASStatus [4] | `024E9756-BA6C-4ad1-8321-87BAE78FD0E3` [4] | + + [1]: https://web.archive.org/web/20240831162506/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831162607/https://learn.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider "WSC_SECURITY_PROVIDER (wscapi.h) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240831162317/https://strontic.github.io/xcyclopedia/library/wscisvif.dll-82BBB18EB8507C8355A97D1E91A3C5F7.html "wscisvif.dll | Windows Security Center ISV API | STRONTIC | strontic.github.io" + [4]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240831162331/https://strontic.github.io/xcyclopedia/library/clsid_F2102C37-90C3-450C-B3F6-92BE1693BDF2.html "CLSID F2102C37-90C3-450C-B3F6-92BE1693BDF2 | Windows Security Center ISV API | STRONTIC | strontic.github.io" + [6]: https://web.archive.org/web/20240831161909/https://strontic.github.io/xcyclopedia/library/clsid_2981a36e-f22d-11e5-9ce9-5e5517507c66.html "CLSID 2981a36e-f22d-11e5-9ce9-5e5517507c66 | WSCDefaultProduct Class | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240831162350/https://strontic.github.io/xcyclopedia/library/clsid_D5F7E36B-5B38-445D-A50F-439B8FCBB87A.html "CLSID D5F7E36B-5B38-445D-A50F-439B8FCBB87A | CLSID_WscToastActivationHandler | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240831164737/https://systemexplorer.net/file-database/file/wscapi-dll "What is wscapi.dll ? | System Explorer | systemexplorer.net" + [9]: https://web.archive.org/web/20240831162431/https://strontic.github.io/xcyclopedia/library/wscproxystub.dll-FDA3D0A7A55CC2AAFAFDDACCDAEDACA1.html "wscproxystub.dll | Windows Security Center ISV Proxy Stub | STRONTIC | strontic.github.io" + [10]: https://web.archive.org/web/20240901102406/https://strontic.github.io/xcyclopedia/library/wscproxystub.dll-D132D30182A8E0CD87C6AA66B7773E08.html "CLSID 8C38232E-3A45-4A27-92B0-1A16A975F669 | PSFactoryBuffer | STRONTIC | strontic.github.io" + [11]: https://web.archive.org/web/20240831163052/https://strontic.github.io/xcyclopedia/library/clsid_7E66DBEF-2474-4E82-919B-9A855F4C2FE8.html "CLSID 7E66DBEF-2474-4E82-919B-9A855F4C2FE8 | WscIsvIf Proxy Stub | STRONTIC | strontic.github.io" + [12]: https://web.archive.org/web/20240831162716/https://strontic.github.io/xcyclopedia/library/clsid_17072F7B-9ABE-4A74-A261-1EB76B55107A.html "CLSID 17072F7B-9ABE-4A74-A261-1EB76B55107A | WSCProductList Class | STRONTIC | strontic.github.io" + [13]: https://web.archive.org/web/20240831162454/https://wikileaks.org/ciav7p1/cms/page_13762803.html "CLSIDs Windows 7 Professional x86 With Office 2010 | wikileaks.org" + [14]: https://web.archive.org/web/20240831165209/https://strontic.github.io/xcyclopedia/library/clsid_8C38232E-3A45-4A27-92B0-1A16A975F669.html "CLSID 8C38232E-3A45-4A27-92B0-1A16A975F669 | PSFactoryBuffer | STRONTIC | strontic.github.io" call: - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' - # Windows 10 (โ‰ฅ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: ThreadingModel - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' - # Windows 10 (โ‰ฅ 22H2) : Apartment (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : Apartment (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: 'Apartment' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - name: Remove "Windows Security" icon from taskbar + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\wscisvif.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\wscisvif.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{F2102C37-90C3-450C-B3F6-92BE1693BDF2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{F2102C37-90C3-450C-B3F6-92BE1693BDF2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{D5F7E36B-5B38-445D-A50F-439B8FCBB87A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{D5F7E36B-5B38-445D-A50F-439B8FCBB87A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\wscapi.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\wscapi.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{2981a36e-f22d-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{2981a36e-f22d-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{17072F7B-9ABE-4A74-A261-1EB76B55107A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{17072F7B-9ABE-4A74-A261-1EB76B55107A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\TypeLib\{B52A4496-7753-4F74-BE64-C2072E308122} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{B52A4496-7753-4F74-BE64-C2072E308122} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\wscAPI.WSCProductList + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\wscAPI.WSCProductList.1 + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\wscAPI.WSCDefaultProduct + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{7E66DBEF-2474-4E82-919B-9A855F4C2FE8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{7E66DBEF-2474-4E82-919B-9A855F4C2FE8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\wscproxystub.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\wscproxystub.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8C38232E-3A45-4A27-92B0-1A16A975F669} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{F896CA54-FE09-4403-86D4-23CB488D81D8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{F896CA54-FE09-4403-86D4-23CB488D81D8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{55536524-D1D1-4726-8C7C-04996A1904E7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{55536524-D1D1-4726-8C7C-04996A1904E7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{722A338C-6E8E-4E72-AC27-1417FB0C81C2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{722A338C-6E8E-4E72-AC27-1417FB0C81C2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0476d69c-f21a-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0476d69c-f21a-11e5-9ce9-5e5517507c66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{A61406C1-997B-4a4b-B622-AA7DACA6D575} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{A61406C1-997B-4a4b-B622-AA7DACA6D575} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{3901A765-AB91-4ba9-A553-5B8538DEB840} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{3901A765-AB91-4ba9-A553-5B8538DEB840} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{206D9C96-ACDF-484B-833E-DEB914565E44} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{206D9C96-ACDF-484B-833E-DEB914565E44} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{CF007CA2-F5E3-11E5-9CE9-5E5517507C66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{CF007CA2-F5E3-11E5-9CE9-5E5517507C66} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{4DCBAFAC-29BA-46B1-80FC-B8BDE3C0AE4D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{4DCBAFAC-29BA-46B1-80FC-B8BDE3C0AE4D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{9B8F6C6E-8A4A-4891-AF63-1A2F50924040} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{9B8F6C6E-8A4A-4891-AF63-1A2F50924040} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{62F698CB-094A-4C68-9419-8E8C49420E59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{62F698CB-094A-4C68-9419-8E8C49420E59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{024E9756-BA6C-4ad1-8321-87BAE78FD0E3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{024E9756-BA6C-4ad1-8321-87BAE78FD0E3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Shell Service docs: |- - This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 - and was originally named "Windows Defender Security Center" [1]. + This script disables a system service that operates in the background, monitoring your device and + providing security notifications. - The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + This service is named **Defender Shell Service** [1], also referred to as **Security Health SSO** [2]. + It is a component of ***Windows Security** [3] (formerly **Windows Defender Security Center** [4]). + It operates in the background, scanning your device for threats and sending notifications as necessary [3]. + The service is associated with the `SecurityHealthSystray.exe` process, which manages system tray + functionality for Windows Security [3] [5]. + The system tray, or notification area, is part of the Windows taskbar at the bottom-right corner of the screen [6]. - The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 - and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. + Disabling this service may enhance your privacy by reducing background monitoring. + It also improves system performance by stopping a continuously running process. + However, it may decrease your system's security by disabling a key component of Windows Security. + Disabling this component, even while other Windows Security features remain active, may lead to system errors + such as error code `0xc000012f` [3] [5]. - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" - [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" - call: - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - valueName: SecurityHealth - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' - # Windows 10 (โ‰ฅ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - # Windows 11 (โ‰ฅ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - dataTypeOnRevert: REG_EXPAND_SZ - dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' - - - name: Disable Defender Antivirus interface - docs: |- - This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially - preventing user interactions with the Microsoft Defender Antivirus interface. - - Several reasons to hide the antivirus interface: - - 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing - its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more - in control of their data when they aren't constantly reminded of a running security service. - 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. - Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share - more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. - 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender - Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to - a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently - triggering options that might share data. - 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface - but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that - access has been restricted by the system administrator [2]. - - The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the - `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. - - [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" - [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + > **Caution:** Disabling this service may weaken your computer's security and could result in system errors. + + ### Technical Details + + This script removes the following CLSIDs and associated files: + + | CLSID | Windows 10 Pro (โ‰ฅ 22H2) | Windows 11 Pro (โ‰ฅ 23H2) | + | ---- | ----------------------- | ----------------------- | + | `E3C9166D-1D39-4D4E-A45D-BC7BE9B00578` [5] | Missing | `%SYSTEMROOT%\System32\SecurityHealth\\SecurityHealthSSO.dll` [3] [5] | + | `6D40A6F9-3D32-4FCB-8A86-BE992E03DC76` [2] | `%SYSTEMROOT%\System32\SecurityHealthSSO.dll` [2] | Missing | + + It also removes these files: + + | File | Windows 10 Pro (โ‰ฅ 22H2) | Windows 11 Pro (โ‰ฅ 23H2) | + | ---- | ----------------------- | ----------------------- | + | `%SYSTEMROOT%\System32\SecurityHealth\\SecurityHealthSSO.dll` | โŒ Missing | โœ… Exists | + | `%SYSTEMROOT%\System32\SecurityHealthSSO.dll` [1] [2] | โŒ Missing | โœ… Exists | + + [1]: https://web.archive.org/web/20240829161045/https://strontic.github.io/xcyclopedia/library/SecurityHealthSSO.dll-3C4BE8F167045062380124D2D5BE8C1B.html "SecurityHealthSSO.dll | Security Health SSO | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240829161040/https://strontic.github.io/xcyclopedia/library/clsid_6D40A6F9-3D32-4FCB-8A86-BE992E03DC76.html "CLSID 6D40A6F9-3D32-4FCB-8A86-BE992E03DC76 | CLSID_DefenderShellServiceObject | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240829161005/https://www.thewindowsclub.com/securityhealthsystray-exe-bad-image-what-is-it "SecurityHealthSystray.exe Bad Image; What is it? | www.thewindowsclub.com" + [4]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [5]: https://web.archive.org/web/20240829161012/https://oshibaetsya.ru/securityhealthsystray-exe-oshibka/ "Securityhealthsystray exe ะพัˆะธะฑะบะฐ - ะะต ะพัˆะธะฑะฐะตั‚ัั ะปะธัˆัŒ ั‚ะพั‚, ะบั‚ะพ ะฝะธั‡ะตะณะพ ะฝะต ะดะตะปะฐะตั‚! | oshibaetsya.ru" + [6]: https://web.archive.org/web/20240829161654/https://learn.microsoft.com/en-us/windows/win32/shell/notification-area "Notifications and the Notification Area - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578} + elevateToTrustedInstaller: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{6D40A6F9-3D32-4FCB-8A86-BE992E03DC76} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthSSO.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealth\*\SecurityHealthSSO.dll' + grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + minimumWindowsVersion: Windows11-FirstRelease - - name: Disable non-administrator access to Defender threat history + name: Disable "Windows Security Service" service docs: |- - This script disables privacy mode for Defender scans, limiting threat history access to administrators. + This script disables the Windows Security Service, a component that manages + various Windows security features. + + This service is known as **Windows Security Service** [1], `SecurityHealthService` [2] + or **Windows Security Health Service** [2] [3]. + It provides device protection and system health information [1] [3]. + + This service is part of the **Windows Security** interface [2] [4]. + **Windows Security** is a centralized interface managing various Windows security features [5]. + In earlier Windows versions, this interface was called **Security Center** [5]. - By default, privacy mode is enabled [1]. - When active, it restricts the display of spyware and potentially dangerous programs to administrators only, - instead of all users on the computer [2]. - It blocks non-administrators from viewing threat history [1]. + This service is also a component of **Defender for Endpoint** and **Defender Antivirus** [4]. + However, disabling this service does not affect the functionality of Defender Antivirus [2]. - This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. - It has no impact on current platforms [1]. + Disabling this service may enhance privacy by limiting data collection related to system security. + It may also improve system performance by preventing the service from running in the background. + However, it may decrease security by disabling the Windows Security interface and restricting access + to security information. - Limiting threat history to administrators has both benefits and drawbacks. - It improves security and privacy by limiting access to sensitive threat information. - However, it may reduce transparency and hinder security efforts for users without admin access who need this data. + > **Caution**: + > Disabling this service may prevent you from accessing Windows Security features and + > receiving important security notifications. + + ### Technical Details + + The **Windows Security** interface relies on this service [2]. - The script configures: + By default, Windows is set to start this service manually [1]. + Although tests indicate it runs automatically on Windows 10 and 11. - 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. - It sets the value to `$True`, effectively disabling privacy mode [1]. + The service is located at `%SYSTEMROOT%\System32\SecurityHealthService.exe` [1] [3] [6] - 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. - This undocumented registry key has been verified to work on older Windows versions by the community [2]. + #### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (โ‰ฅ 22H2) | ๐ŸŸข Running | Manual | + | Windows 11 (โ‰ฅ 23H2) | ๐Ÿ”ด Stopped | Manual | - [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "ะกะพั„ั‚ | ะกะตะบั€ะตั‚ั‹ Windows 7 | www.win7help.ru" - [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + [1]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [2]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + [5]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [6]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" call: - - function: SetMpPreference + # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` + # Windows 11 (22H2): โŒ `DisableService` | โŒ `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` + function: DisableServiceInRegistry parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + elevateToTrustedInstaller: 'true' - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: "DisablePrivacyMode" - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โŒ Windows 10 Pro (>= 20H2) | โŒ Windows 11 Pro (>= 23H2) + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 22H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthService.exe' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - - category: Disable sections in "Windows Security" + name: Disable "Windows Security Service" interactions docs: |- - This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in - Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + This script disables the Security Health Service's COM objects, which prevents + the Windows Security Center from running. - "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display - in a restricted mode [1]. + Security Health Service is also known as **Windows Security Service** [1] [2] + or **Windows Security Health Service** [1] [2] [3]. + It is a fundamental component of Windows security features [3]. - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - children: + The script disables various Component Object Model (COM) objects related to + this service. + **COM (Component Object Model)** is a system enabling interaction between software + components in Windows [4]. + + Disabling these components may enhance your privacy by limiting the system's ability + to monitor and report on your computer's security status. + It may also improve system performance by preventing these services from running in + the background. + + However, disabling these components may lower your system's overall security. + This script does not directly disable Defender Antivirus or Defender Firewall [3]. + But it may prevent Windows from alerting you about potential security issues or + threats. + + > **Caution**: + > Disabling these components may increase your system's vulnerability to security threats + > and prevent you from receiving important security notifications + + ### Technical Details + + The script disables the following COM objects: + + - Security Health Service (AppID: `2EB6D15C-5239-41CF-82FB-353D20B816CF`) [1] [5] + - Defender Pua Shield Class (CLSID: `F6976CF5-68A8-436C-975A-40BE53616D59`) [6] + - Threat Protection Shield Class (CLSID: `CC66E708-C687-42EA-806E-83D41C9D1A5F`) [5] [7] + - Defender Shield Class (CLSID: `8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0`) [5] [8] + - Dashboard Class (CLSID: `F99A566C-42AE-4DE2-AD4D-D297A04C5433`) [5] [9] + - Health Advisor Shield Class (CLSID: `470B9B9B-0E95-4963-B265-5D58E5808C3D`) [5] [10] + - Shield Process Launcher Class (CLSID: `2D15188C-D298-4E10-83B2-64666CCBEBBD`) [5] [11] + - App and Browser Shield Class (CLSID: `816A45F9-7406-42BB-B4FA-A655D96F2A8A`) [5] [12] + - Account Protection Shield Class (CLSID: `2557a77e-882d-4633-960e-0c718670c1c7`) [13] + - Data Protection Shield Class (CLSID: `1B48339C-D15E-45F3-AD55-A851CB66BE6B`) [14] + - Exploit Shield Class (CLSID: `A2A6D7C6-ECBD-439E-9244-9E784608439F`) [5] [15] + - Management Shield Class (CLSID: `434AEC1C-8583-45EC-B88F-750D6F380BC3`) [5] [16] + - Shield Provider Toast Class (CLSID: `D6B0D1EB-456E-48FF-A3E3-F393C74B85DB`) [5] [17] + - Hardware Shield Class (CLSID: `EDAE4045-CAE6-4706-8973-FA69715B8C10`) [18] + - OS Protection Shield Class (CLSID: `5CF41123-E9E6-4AC0-85A7-C4001F513C6A`) [19] + - Application Guard Shield Class (CLSID: `BD8A8E7D-E42F-434A-8215-C7ECB6C32786`) [20] + - ForceField Web Protection Shield Class (CLSID: `47782907-6A6D-44BC-8872-4E45E994E6F9`) [21] + + These objects are core components of the Windows Security Health Service [5]. + They are used by `SecurityHealthCore.dll` [1] and `SecurityHealthService.exe` [22]. + + [1]: https://archive.ph/2024.08.30-134307/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthCore.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | 10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [2]: https://web.archive.org/web/20240830134503/https://github.com/privacysexy-forks/windows-com-objects/blob/ff00b455604546b70c8bb7c200823332af96e641/Data/CASE_Windows11_21H2/comx64/comAppId.csv "windows-com-objects/Data/CASE_Windows11_21H2/comx64/comAppId.csv at ff00b455604546b70c8bb7c200823332af96e641 ยท privacysexy-forks/windows-com-objects | github.com" + [3]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [4]: https://web.archive.org/web/20240830140350/https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model "The Component Object Model - Win32 apps | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240829090053/https://github.com/privacysexy-forks/juicy-potato/blob/master/CLSID/Windows_10_Enterprise/README.md "juicy-potato/CLSID/Windows_10_Enterprise/README.md at master ยท privacysexy-forks/juicy-potato | github.com" + [6]: https://web.archive.org/web/20240830133815/https://strontic.github.io/xcyclopedia/library/clsid_F6976CF5-68A8-436C-975A-40BE53616D59.html "CLSID F6976CF5-68A8-436C-975A-40BE53616D59 | Defender Pua Shield Class | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240830133850/https://strontic.github.io/xcyclopedia/library/clsid_CC66E708-C687-42EA-806E-83D41C9D1A5F.html "CLSID CC66E708-C687-42EA-806E-83D41C9D1A5F | Threat Protection Shield Class | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240830133934/https://strontic.github.io/xcyclopedia/library/clsid_8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0.html "CLSID 8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0 | Defender Shield Class | STRONTIC | strontic.github.io" + [9]: https://web.archive.org/web/20240830133817/https://strontic.github.io/xcyclopedia/library/clsid_F99A566C-42AE-4DE2-AD4D-D297A04C5433.html "CLSID F99A566C-42AE-4DE2-AD4D-D297A04C5433 | Dashboard Class | STRONTIC | strontic.github.io" + [10]: https://web.archive.org/web/20240830133835/https://strontic.github.io/xcyclopedia/library/clsid_470B9B9B-0E95-4963-B265-5D58E5808C3D.html "CLSID 470B9B9B-0E95-4963-B265-5D58E5808C3D | Health Advisor Shield Class | STRONTIC | strontic.github.io" + [11]: https://web.archive.org/web/20240830133909/https://strontic.github.io/xcyclopedia/library/clsid_2D15188C-D298-4E10-83B2-64666CCBEBBD.html "CLSID 2D15188C-D298-4E10-83B2-64666CCBEBBD | Shield Process Launcher Class | STRONTIC | strontic.github.io" + [12]: https://web.archive.org/web/20240830134053/https://strontic.github.io/xcyclopedia/library/clsid_816A45F9-7406-42BB-B4FA-A655D96F2A8A.html "CLSID 816A45F9-7406-42BB-B4FA-A655D96F2A8A | App and Browser Shield Class | STRONTIC | strontic.github.io" + [13]: https://web.archive.org/web/20240830134049/https://strontic.github.io/xcyclopedia/library/clsid_2557a77e-882d-4633-960e-0c718670c1c7.html "CLSID 2557a77e-882d-4633-960e-0c718670c1c7 | Account Protection Shield Class | STRONTIC | strontic.github.io" + [14]: https://web.archive.org/web/20240830134101/https://strontic.github.io/xcyclopedia/library/clsid_1B48339C-D15E-45F3-AD55-A851CB66BE6B.html "CLSID 1B48339C-D15E-45F3-AD55-A851CB66BE6B | Data Protection Shield Class | STRONTIC | strontic.github.io" + [15]: https://web.archive.org/web/20240830134116/https://strontic.github.io/xcyclopedia/library/clsid_A2A6D7C6-ECBD-439E-9244-9E784608439F.html "CLSID A2A6D7C6-ECBD-439E-9244-9E784608439F | Exploit Shield Class | STRONTIC | strontic.github.io" + [16]: https://web.archive.org/web/20240830134135/https://strontic.github.io/xcyclopedia/library/clsid_434AEC1C-8583-45EC-B88F-750D6F380BC3.html "CLSID 434AEC1C-8583-45EC-B88F-750D6F380BC3 | Management Shield Class | STRONTIC | strontic.github.io" + [17]: https://web.archive.org/web/20240830134148/https://strontic.github.io/xcyclopedia/library/clsid_D6B0D1EB-456E-48FF-A3E3-F393C74B85DB.html "CLSID D6B0D1EB-456E-48FF-A3E3-F393C74B85DB | Shield Provider Toast Class | STRONTIC | strontic.github.io" + [18]: https://web.archive.org/web/20240830134524/https://strontic.github.io/xcyclopedia/library/clsid_EDAE4045-CAE6-4706-8973-FA69715B8C10.html "CLSID EDAE4045-CAE6-4706-8973-FA69715B8C10 | Hardware Shield Class | STRONTIC | strontic.github.io" + [19]: https://web.archive.org/web/20240830134415/https://strontic.github.io/xcyclopedia/library/clsid_5CF41123-E9E6-4AC0-85A7-C4001F513C6A.html "CLSID 5CF41123-E9E6-4AC0-85A7-C4001F513C6A | OS Protection Shield Class | STRONTIC | strontic.github.io" + [20]: https://web.archive.org/web/20240830134433/https://strontic.github.io/xcyclopedia/library/clsid_BD8A8E7D-E42F-434A-8215-C7ECB6C32786.html "CLSID BD8A8E7D-E42F-434A-8215-C7ECB6C32786 | Application Guard Shield Class | STRONTIC | strontic.github.io" + [21]: https://web.archive.org/web/20240830134440/https://strontic.github.io/xcyclopedia/library/clsid_47782907-6A6D-44BC-8872-4E45E994E6F9.html "CLSID 47782907-6A6D-44BC-8872-4E45E994E6F9 | ForceField Web Protection Shield Class | STRONTIC | strontic.github.io" + [22]: https://web.archive.org/web/20240830134010/https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/SecurityHealthService.exe.strings "10_0_19045_2251/C/Windows/System32/SecurityHealthService.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf ยท privacysexy-forks/10_0_19045_2251 | github.com" + call: - - name: Disable "Virus and threat protection" section in "Windows Security" - docs: |- - - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2EB6D15C-5239-41CF-82FB-353D20B816CF} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Ransomware data recovery" section in "Windows Security" - docs: |- - [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: HideRansomwareRecovery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Family options" section in "Windows Security" - docs: |- - - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Device performance and health" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Account protection" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "App and browser control" section in "Windows Security" - docs: |- - - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2557a77e-882d-4633-960e-0c718670c1c7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Windows Security Health Agent (WSHA) + docs: |- + This script disables the Windows Security Health Agent (WSHA). + + WSHA is a component that transmits a client's security health state to a network policy server [1]. + It sends a summary of Windows Update-related information [2]. + This data transmission may raise privacy concerns for users who wish to limit the information shared + with Microsoft or network administrators. + + By disabling WSHA, this script improves privacy by preventing the automatic sending of system health + and update information. + It may also slightly increase system performance by reducing background processes. + + However, disabling WSHA may reduce security by limiting the ability of network administrators to assess and maintain + the security health of connected devices. This could potentially leave systems more vulnerable to threats. + + > **Caution**: + > Disabling this agent may interfere with your organization's security policies and leave your system more vulnerable to threats. + + ### Technical Details + + The Windows Security Health Agent is implemented through the library file + located at `%SYSTEMROOT%\System32\SecurityHealthAgent.dll` [3] [4]. + + [1]: https://web.archive.org/web/20240912124329/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsh/9ffadcf7-7713-4bf1-a0ca-2e52b116a0dc "[MS-WSH]: Overview | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240912124342/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsh/2dbd4726-63e8-425c-bd74-9994158b3dd5 "[MS-WSH]: Relationship with the Windows Update Client-Server Protocol | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240912124500/https://strontic.github.io/xcyclopedia/library/SecurityHealthAgent.dll-9C23672E9D8F134424DEA1BE93303BD1.html "SecurityHealthAgent.dll | Windows Security Health Agent | STRONTIC | strontic.github.io" + call: + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthAgent.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + name: Disable Windows Security Health Core + docs: |- + This script disables the Windows Security Health Core component. + + Windows Security Health Core is a system library that manages security settings, monitors + system integrity, and interfaces with various security features [2] [3]. + It provides status information to both the system and users, handling security-related + Windows services [3]. + + Disabling this component may enhance privacy by limiting the system's monitoring and reporting + of security-related activities. + It may slightly improve system performance by removing background processes related to security + monitoring. + + However, this action may significantly reduce system security by disabling essential security + features and monitoring. + This can make your system more vulnerable to threats and malware. + + > **Caution**: + > Disabling this component weakens Windows security monitoring, potentially leaving your system + > exposed to undetected threats. + + ### Technical Details + + The script removes the library file located at `%SYSTEMROOT%\System32\SecurityHealthCore.dll` [1]. + + [1]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240912131843/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthCore.dll.coff "10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://web.archive.org/web/20240912131842/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthCore.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthCore.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + call: + function: SoftDeleteFiles + parameters: + # Availability: ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthCore.dll' + grantPermissions: 'true' + minimumWindowsVersion: Windows11-FirstRelease + - + name: Disable Windows Security Health UDK + docs: |- + This script disables the Windows Security Health UDK component. + + The **Windows Security Health UDK** is a core library that manages key aspects of **Windows Security** [1] [2]. + UDK stands for *Undocked Developer Kit* [3], *Undocked Dev Kit* [4], *Windows UDK* [3] [4]. + It's also referred to as *Undocked Shell* [5]. + It coordinates shell experiences (user interfaces) [6] and adds new features to the Windows desktop + independently of full system updates [5]. + + This component's key functions include: + + - Providing security-related services [1] + - Managing security policies [1] [2] + - Gathering system information [1] [2] + - Handling event logging [1] [2] + - Performing cryptographic operations [1] + - Managing user accounts and sessions [1] [2] + - Supporting Windows Defender features [1] [2] + - Managing containerization and virtualization [1] [2] + - Configuring firewall settings [2] + + This script may enhance privacy by limiting the system's ability to collect and process security-related data. + It may also increase system performance by reducing background processes related to security monitoring. + + However, disabling this component may significantly weaken your system's security. + According to community reports, it may disable the Windows Security background service and interface [7]. + This may leave your system more vulnerable to threats. + + > **Caution**: + > This action may expose your system to additional security threats, especially if you're unfamiliar + > with security management. + + ### Technical Details + + The library is located at `%SYSTEMROOT%\System32\SecurityHealthUdk.dll` [1] [2] [8]. + + [1]: https://web.archive.org/web/20240919114317/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthUdk.dll.coff "10_0_22622_601/C/Windows/System32/SecurityHealthUdk.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [2]: https://web.archive.org/web/20240919114426/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthUdk.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthUdk.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://web.archive.org/web/20240321102101/https://www.dllme.com/dll/files/windowsudk_shellcommon "windowsudk.shellcommon.dll : Free .DLL download. - DLLme.com | www.dllme.com" + [4]: https://web.archive.org/web/20240321102221/https://strontic.github.io/xcyclopedia/library/windowsudk.shellcommon.dll-AA8B2A24FBC79C2F491B4A527B4A9A42.html "windowsudk.shellcommon.dll | Windows Undocked Dev Kit Shellcommon DLL | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240321105425/https://mspoweruser.com/latest-windows-10-20h1-preview-build-shows-microsoft-is-making-the-windows-10-shell-piecemeal-upgradable/ "Latest Windows 10 20H1 Preview Build shows Microsoft is making the Windows 10 Shell piecemeal upgradable - MSPoweruser | mspoweruser.com" + [6]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240912134346/https://answers.microsoft.com/en-us/windows/forum/all/windows-security-service-set-to-manual-start-with/cadb3956-7291-4213-ab32-cb011ee3388e "Windows Security Service set to manual start, with no option to switch - Microsoft Community | answers.microsoft.com" + [8]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: + function: SoftDeleteFiles + parameters: + # Availability: ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthUdk.dll' + grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + minimumWindowsVersion: Windows11-FirstRelease + - + name: Disable "Windows Security Health Host" process + docs: |- + This script disables the Windows Security Health Host. + + The Windows Security Health Host monitors and reports on the Windows operating system's security status [1] [2]. + It continuously checks system security aspects like Defender antivirus, firewall status, and the presence of the latest security patches [2]. + It automatically starts with Windows and runs in the background [2]. + + By disabling this process, the script may improve privacy by preventing the constant monitoring and reporting of system security status. + It may also increase system performance by eliminating the background process. + + However, this action may reduce system security. + Without the Security Health Host, **Windows Security** can't effectively monitor or report on the system's security health [1]. + **Windows Security** is a built-in Windows feature that offers a unified interface for various security products, including Defender antivirus [3]. + + > **Caution**: Disabling this feature may leave your system vulnerable to security threats without your knowledge. + + ### Technical Details + + This script removes the executable file `SecurityHealthHost.exe` from the `%SYSTEMROOT%\System32` directory [2] [4] [5]. + It also prevents any future execution of the `SecurityHealthHost.exe` process. + + [1]: https://web.archive.org/web/20240912171920/https://www.file.net/process/securityhealthhost.exe.html "SecurityHealthHost.exe Windows process - What is it? | www.file.net" + [2]: https://web.archive.org/web/20230708061253/https://malwaretips.com/blogs/securityhealthhost-exe/ "SecurityHealthHost.exe - Is SecurityHealthHost.exe Safe Or Malware? | malwaretips.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240912171905/https://strontic.github.io/xcyclopedia/library/SecurityHealthHost.exe-672C2568647CE3A4F06A1CB466490AB7.html "SecurityHealthHost.exe | Windows Security Health Host | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthHost.exe' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: SecurityHealthHost.exe + - + name: Disable Windows Security Health data sharing + docs: |- + This script disables Windows Security Health components, including COM objects and files that + exchange security information between Windows processes. + + **Windows Security** is a built-in tool that provides a central interface for security features such + as antivirus protection [1]. + **Security Health** is a component that reports system health information [2]. + + It uses a specific protocol [3] and COM objects to communicate with other processes [4]. + **COM (Component Object Model)** is a system that allows software components to interact across processes [5]. + + This script enhances privacy by preventing Windows Security from gathering and reporting system health information. + It may boost system performance by reducing background processes related to security health reporting. + However, this may reduce your system's security by disabling features that monitor and protect your device. + + > **Caution**: + > This action may make your system more vulnerable and reduce access to critical security information. + + ### Technical Details + + It removes the following files: + + - `%SYSTEMROOT%\System32\SecurityHealthProxyStub.dll` [6] + + It removes the following COM classes: + + - Defender Shield Broker (`6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF`) [7] + - App Installer Prompt (`AA00FB1F-4EC7-4b09-BDC1-E5D88D291440`) [4] [8] + - Windows Security Health Proxy Stub Factory (`36383E77-35C2-4B45-8277-329E4BEDF47F`) [6] + - Application Guard Shield Broker (`10964DDD-6A53-4C60-917F-7B5723014344`) [9] + - Health Advisor Shield Broker (`2EF44DE8-80C9-42D9-8541-F40EF0862FA3`) [10] + - Shield Process Launcher Broker (`3213CD15-4DF2-415F-83F2-9FC58F3AEB3A`) [11] + - Network Protection Shield Broker (`3522D7AF-4617-4237-AAD8-5860231FC9BA`) [12] + - Defender Pua Shield Broker (`45F2C32F-ED16-4C94-8493-D72EF93A051B`) [13] + - Exploit Shield Broker (`3886CA90-AB09-49D1-A047-7A62D096D275`) [14] + - Dashboard Broker (`3CD3CA1E-2232-4BBF-A733-18B700409DA0`) [15] + - Account Protection Shield Broker (`5ffab5c8-9a36-4b65-9fc6-fb69f451f99c`) [16] + - Windows Security Health Agent Proxy Stub Factory (`82345212-6ACA-4B38-8CD7-BF9DE8ED07BD`) [17] + - Management Shield Broker (`849F5497-5C61-4023-8E10-A28F1A8C6A70`) [18] + - Hardware Shield Broker (`88866959-07B0-4ED8-8EF5-54BC7443D28C`) [19] + - App and Browser Shield Broker (`8E67B5C5-BAD3-4263-9F80-F769D50884F7`) [20] + - Data Protection Shield Broker (`C8DFF91D-B243-4797-BAE6-C461B65EDED3`) [21] + - ForceField Web Protection Shield Broker (`DBF393FC-230C-46CC-8A85-E9C599A81EFB`) [22] + - Shield Elevation Broker (`E041C90B-68BA-42C9-991E-477B73A75C90`) [23] + - OS Protection Shield Broker (`E476E4C0-409C-43CD-BBC0-5905B4138494`) [24] + - Shield Provider User Session Agent (`08728914-3F57-4D52-9E31-49DAECA5A80A`) [25] + + It removes the following COM applications: + + - Security Health Agent Activate As Activator Host (`37096FBE-2F09-4FF6-8507-C6E4E1179893`) [7] [10] [11] [12] [13] [14] [15] [18] [19] [20] [24] [26] + - Security Health Agent Interactive User Host (`7E55A26D-EF95-4A45-9F55-21E52ADF9887`) [16] [21] [22] [25] [26] + - Security Health Agent Interactive User Host for WDSP only (`4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed`) [26] + + [1]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20240913071811/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wsh/9a16cf36-da15-454d-aeaa-600df49efa98 "[MS-WSH]: Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240912123628/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest "nickel-x64/WinSxS/Manifests/amd64_windows-shield-provider_31bf3856ad364e35_10.0.22621.1_none_078b8e81c1191957.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240913071751/https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal "Component Object Model (COM) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240913064542/https://strontic.github.io/xcyclopedia/library/clsid_36383E77-35C2-4B45-8277-329E4BEDF47F.html "CLSID 36383E77-35C2-4B45-8277-329E4BEDF47F | Windows Security Health Proxy Stub Factory | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20240913064147/https://strontic.github.io/xcyclopedia/library/clsid_6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF.html "CLSID 6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF | Defender Shield Broker | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240919210000/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_appinstallerprompt-desktop_31bf3856ad364e35_10.0.22621.1_none_6d8ff9efc958eff3.manifest "nickel-x64/WinSxS/Manifests/wow64_appinstallerprompt-desktop_31bf3856ad364e35_10.0.22621.1_none_6d8ff9efc958eff3.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [9]: https://web.archive.org/web/20240913064635/https://strontic.github.io/xcyclopedia/library/clsid_10964DDD-6A53-4C60-917F-7B5723014344.html "CLSID 10964DDD-6A53-4C60-917F-7B5723014344 | Application Guard Shield Broker | STRONTIC | strontic.github.io" + [10]: https://web.archive.org/web/20240913071111/https://strontic.github.io/xcyclopedia/library/clsid_2EF44DE8-80C9-42D9-8541-F40EF0862FA3.html "CLSID 2EF44DE8-80C9-42D9-8541-F40EF0862FA3 | Health Advisor Shield Broker | STRONTIC | strontic.github.io" + [11]: https://web.archive.org/web/20240830134518/https://strontic.github.io/xcyclopedia/library/clsid_3213CD15-4DF2-415F-83F2-9FC58F3AEB3A.html "CLSID 3213CD15-4DF2-415F-83F2-9FC58F3AEB3A | Shield Process Launcher Broker | STRONTIC | strontic.github.io" + [12]: https://web.archive.org/web/20240913072059/https://strontic.github.io/xcyclopedia/library/clsid_3522D7AF-4617-4237-AAD8-5860231FC9BA.html "CLSID 3522D7AF-4617-4237-AAD8-5860231FC9BA | Network Protection Shield Broker | STRONTIC | strontic.github.io" + [13]: https://web.archive.org/web/20240913072244/https://strontic.github.io/xcyclopedia/library/clsid_45F2C32F-ED16-4C94-8493-D72EF93A051B.html "CLSID 45F2C32F-ED16-4C94-8493-D72EF93A051B | Defender Pua Shield Broker | STRONTIC | strontic.github.io" + [14]: https://web.archive.org/web/20240913072514/https://strontic.github.io/xcyclopedia/library/clsid_3886CA90-AB09-49D1-A047-7A62D096D275.html "CLSID 3886CA90-AB09-49D1-A047-7A62D096D275 | Exploit Shield Broker | STRONTIC | strontic.github.io" + [15]: https://web.archive.org/web/20240913072524/https://strontic.github.io/xcyclopedia/library/clsid_3CD3CA1E-2232-4BBF-A733-18B700409DA0.html "CLSID 3CD3CA1E-2232-4BBF-A733-18B700409DA0 | Dashboard Broker | STRONTIC | strontic.github.io" + [16]: https://web.archive.org/web/20240913072538/https://strontic.github.io/xcyclopedia/library/clsid_5ffab5c8-9a36-4b65-9fc6-fb69f451f99c.html "CLSID 5ffab5c8-9a36-4b65-9fc6-fb69f451f99c | Account Protection Shield Broker | STRONTIC | strontic.github.io" + [17]: https://web.archive.org/web/20240913074656/https://strontic.github.io/xcyclopedia/library/clsid_82345212-6ACA-4B38-8CD7-BF9DE8ED07BD.html "CLSID 82345212-6ACA-4B38-8CD7-BF9DE8ED07BD | Windows Security Health Agent Proxy Stub Factory | STRONTIC | strontic.github.io" + [18]: https://web.archive.org/web/20240913074603/https://strontic.github.io/xcyclopedia/library/clsid_849F5497-5C61-4023-8E10-A28F1A8C6A70.html "CLSID 849F5497-5C61-4023-8E10-A28F1A8C6A70 | Management Shield Broker | STRONTIC | strontic.github.io" + [19]: https://web.archive.org/web/20240913074718/https://strontic.github.io/xcyclopedia/library/clsid_88866959-07B0-4ED8-8EF5-54BC7443D28C.html "CLSID 88866959-07B0-4ED8-8EF5-54BC7443D28C | Hardware Shield Broker | STRONTIC | strontic.github.io" + [20]: https://web.archive.org/web/20240913074846/https://strontic.github.io/xcyclopedia/library/clsid_8E67B5C5-BAD3-4263-9F80-F769D50884F7.html "CLSID 8E67B5C5-BAD3-4263-9F80-F769D50884F7 | App and Browser Shield Broker | STRONTIC | strontic.github.io" + [21]: https://web.archive.org/web/20240913074955/https://strontic.github.io/xcyclopedia/library/clsid_C8DFF91D-B243-4797-BAE6-C461B65EDED3.html "CLSID C8DFF91D-B243-4797-BAE6-C461B65EDED3 | Data Protection Shield Broker | STRONTIC | strontic.github.io" + [22]: https://web.archive.org/web/20240913075211/https://strontic.github.io/xcyclopedia/library/clsid_DBF393FC-230C-46CC-8A85-E9C599A81EFB.html "CLSID DBF393FC-230C-46CC-8A85-E9C599A81EFB | ForceField Web Protection Shield Broker | STRONTIC | strontic.github.io" + [23]: https://web.archive.org/web/20240913075436/https://strontic.github.io/xcyclopedia/library/clsid_E041C90B-68BA-42C9-991E-477B73A75C90.html "CLSID E041C90B-68BA-42C9-991E-477B73A75C90 | Shield Elevation Broker | STRONTIC | strontic.github.io" + [24]: https://web.archive.org/web/20240913075557/https://strontic.github.io/xcyclopedia/library/clsid_E476E4C0-409C-43CD-BBC0-5905B4138494.html "CLSID E476E4C0-409C-43CD-BBC0-5905B4138494 | OS Protection Shield Broker | STRONTIC | strontic.github.io" + [25]: https://web.archive.org/web/20240913080701/https://strontic.github.io/xcyclopedia/library/clsid_08728914-3F57-4D52-9E31-49DAECA5A80A.html "CLSID 08728914-3F57-4D52-9E31-49DAECA5A80A | Shield Provider User Session Agent | STRONTIC | strontic.github.io" + [26]: https://web.archive.org/web/20240913072752/https://github.com/privacysexy-forks/windows-com-objects/blob/ff00b455604546b70c8bb7c200823332af96e641/Data/CASE_WindowsServer2019/comx64/comAppId.csv "windows-com-objects/Data/CASE_WindowsServer2019/comx64/comAppId.csv at ff00b455604546b70c8bb7c200823332af96e641 ยท privacysexy-forks/windows-com-objects | github.com" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\SecurityHealthProxyStub.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{AA00FB1F-4EC7-4b09-BDC1-E5D88D291440} + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{AA00FB1F-4EC7-4b09-BDC1-E5D88D291440} + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ“‚ Unprotected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{10964DDD-6A53-4C60-917F-7B5723014344} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{2EF44DE8-80C9-42D9-8541-F40EF0862FA3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3213CD15-4DF2-415F-83F2-9FC58F3AEB3A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3522D7AF-4617-4237-AAD8-5860231FC9BA} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{45F2C32F-ED16-4C94-8493-D72EF93A051B} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3886CA90-AB09-49D1-A047-7A62D096D275} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{3CD3CA1E-2232-4BBF-A733-18B700409DA0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{5ffab5c8-9a36-4b65-9fc6-fb69f451f99c} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ“‚ Unprotected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{849F5497-5C61-4023-8E10-A28F1A8C6A70} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{88866959-07B0-4ED8-8EF5-54BC7443D28C} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{8E67B5C5-BAD3-4263-9F80-F769D50884F7} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{C8DFF91D-B243-4797-BAE6-C461B65EDED3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DBF393FC-230C-46CC-8A85-E9C599A81EFB} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{E476E4C0-409C-43CD-BBC0-5905B4138494} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{37096FBE-2F09-4FF6-8507-C6E4E1179893} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{37096FBE-2F09-4FF6-8507-C6E4E1179893} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{7E55A26D-EF95-4A45-9F55-21E52ADF9887} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{7E55A26D-EF95-4A45-9F55-21E52ADF9887} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppId\{4fe95d37-3459-4ecc-ac3e-f7abbe4e8aed} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) + maximumWindowsVersion: Windows10-MostRecent + - + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Remove "Scan with Defender" from context menu + docs: |- + This script removes the **Scan with Microsoft Defender** option from the right-click context menu. + + This script enhances user privacy by limiting engagement with Defender's data collection processes. + Defender may collect data during scans and at regular intervals, which some users may find + unnecessary or unwanted. + + Removing this option only affects the context menu appearance and does not disable Defender + or its other functions. + + > **Caution**: This may reduce system security by making it less convenient to perform on-demand + > scans of specific files or folders. + + ### Technical Details + + The script functions by altering specific registry keys that correspond to the Defender context menu option. + It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. + The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` + (`HKEY_CLASSES_ROOT`) view [3]. + + The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. + This feature is provided by `shellext.dll` file located in Defender's program files [1]. + + [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780} + - + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # โœ… Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # โœ… Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # โœ… Windows 10 (โ‰ฅ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # โœ… Windows 11 (โ‰ฅ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the Windows Security icon from the system tray. + + **Windows Security** is an interface introduced in Windows 10, version 1703 [1]. + It was previously named **Windows Defender Security Center** [1]. + It offers a unified interface to manage security settings and monitor system status [1] [2]. + + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [3] [4]. + + > **Caution:** + > Removing the icon may hide important security alerts and make accessing security settings less convenient. + + ### Technical Details + + The script modifies the registry to stop this file from running on startup, effectively removing the icon. + It specifically removes the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth` registry key. + This key exists in modern Windows versions (tested on Windows 11 22H2 and Windows 10 22H2) with a + default value of `%SYSTEMROOT%\System32\SecurityHealthSystray.exe`. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications "Hide notifications from Windows Security | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [4]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + call: + function: DeleteRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + valueName: SecurityHealth + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' + # โœ… Windows 10 (โ‰ฅ 22H2) : C:\Windows\System32\SecurityHealthSystray.exe (REG_EXPAND_SZ) + # โœ… Windows 11 (โ‰ฅ 23H2) : C:\Windows\System32\SecurityHealthSystray.exe (REG_EXPAND_SZ) + dataTypeOnRevert: REG_EXPAND_SZ + dataOnRevert: '%SYSTEMROOT%\System32\SecurityHealthSystray.exe' + - + name: Disable Defender Antivirus interface + docs: |- + This script disables the Defender Antivirus interface. + + This script keeps the Antimalware User Interface (AM UI) hidden from users [1]. + This prevents user interactions with the Defender Antivirus interface. + + Several reasons to hide the antivirus interface: + + - **Reduced data sharing**: + Minimizing Defender's visible interactions can potentially limit the extent of user data shared with Microsoft, + whether you're using Defender or disabling it for an alternative solution. + - **Minimized Interruptions**: + Hiding the interface prevents users from starting and pausing scans. + It also eliminates prompts that may lead to unknowing data sharing. + This approach streamlines the user experience and reduces the risk of accidental data sharing. + - **Reduced notifications**: + Enabling headless UI mode in Windows 10 (version 1703 and newer) hides Defender Antivirus notifications [2]. + It prevents users from being overwhelmed with security notifications. + This action can contribute to a cleaner, less interrupted user experience. + By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that may share data. + - **Restricting access**: + In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. + If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. + + > **Caution**: + > This action limits your ability to manage antivirus settings, manually run scans and view security status. + + ### Technical Details + + The script achieves this by making a specific change in the Windows Registry. + Specifically, it adds a value named `UILockdown` in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its + data to `1` [1]. + + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable outdated non-administrator access to Defender threat history + docs: |- + This script disables privacy mode for Defender scans, limiting threat history access to administrators. + + By default, privacy mode is enabled [1]. + When active, it restricts the display of spyware and potentially dangerous programs to administrators only, + instead of all users on the computer [2]. + It blocks non-administrators from viewing threat history [1]. + + This is a legacy setting that only affects older versions of Defender Antivirus [1]. + It has no impact on current platforms [1]. + + Limiting threat history to administrators has both benefits and drawbacks. + It improves security and privacy by limiting access to sensitive threat information. + However, it may reduce transparency and hinder security efforts for users without admin access who + need this data. + + > **Caution**: Non-admin users will be unable to view potential security threats on their accounts. + + ### Technical Details + + The script configures: + + - `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. + It sets the value to `$True`, effectively disabling privacy mode [1]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. + This undocumented registry key has been verified to work on older Windows versions by the community [2]. + + [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "ะกะพั„ั‚ | ะกะตะบั€ะตั‚ั‹ Windows 7 | www.win7help.ru" + [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + call: + - + function: SetMpPreference + parameters: + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โœ… Windows 10 Pro (>= 22H2) | โŒ Windows 11 Pro (>= 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: DisablePrivacyMode + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + elevateToTrustedInstaller: 'true' # Without TrustedInstaller: โŒ Windows 10 Pro (>= 20H2) | โŒ Windows 11 Pro (>= 23H2) + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. + + **Windows Security** provides a centralized location for managing security settings and viewing system status [1] [2]. + This interface was introduced in Windows 10, version 1703 [1]. + It was previously known as **Windows Defender Security Center** [1]. + + Windows Security has various sections, and each can be turned off individually [1]. + If all sections are disabled, Windows Security will display in a restricted mode [1]. + + > **Caution:** + > Disabling sections may prevent you from accessing important security features or viewing your + > system's security status. + > This may leave you unaware of important security issues on your system. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications "Hide notifications from Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable device security sections + children: + - + name: Disable "Device security" section in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Clear TPM" button in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable security notifications + docs: |- + This category contains scripts to disable Windows security notifications. + + Windows sends security notifications to inform users of potential threats, vulnerabilities, and important security events. + These notifications are generated by security components like Windows Security and Defender Antivirus. + + Disabling these notifications may: + + - Enhance privacy by reducing visible security-related information on your screen + - Improve system performance slightly by preventing these alerts from being processed and displayed + + However, disabling these notifications comes with significant risks: + + - Decreased awareness of critical security issues and threats + - Potential exposure to unnoticed malware or system vulnerabilities + - Missing important system maintenance tasks + + > **Caution**: + > Disabling security notifications may significantly reduce your awareness of critical system and security issues. + > This may increase your system's vulnerability to threats. + > Consider these options only if you have alternative security measures in place or are an advanced user who + > regularly monitors system security through other means. + children: + - + category: Disable Security and Maintenance notifications + docs: |- + This category includes scripts to disable Security and Maintenance notifications in Windows. + + **Security and Maintenance** was previously known as the **Action Center** [1] or + **Security Center** [1] [2]. + It serves as a central interface in Windows for managing security and maintenance settings [3]. + It alerts users to important system events, security risks, and maintenance issues [3]. + + Disabling these notifications may enhance privacy by reducing the visibility of system health and + security details. + It may also slightly improve system performance by preventing these alerts from being processed and + displayed. + + However, this action may decrease security by: + + - Reducing awareness of critical security or health events. + - Potentially leaving the system vulnerable to unnoticed threats or issues. + - Preventing Windows from alerting you about important system maintenance needs. + + > **Caution:** + > Disabling these notifications may significantly reduce your awareness of critical system and + > security issues, potentially leaving your system more vulnerable to threats. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + children: + - + name: Disable Security and Maintenance push notifications + docs: |- + This script disables all Windows Security and Maintenance notifications, + which may enhance privacy but could potentially impact system security. + + **Security and Maintenance** was previously known as **Action Center** [1] [2]. + It offers a central interface to manage security and maintenance settings [2] [3]. + It's integrated into the Windows Control Panel [2]. + It notifies you about important system events and issues [3] [4]. + These notifications are enabled by default [5]. + + Disabling these notifications may enhance privacy by limiting visible security and health + information on your screen. + It may also marginally improve system performance by preventing the processing and display + of these alerts. + + However, this action may reduce security: + + - Decreasing awareness of critical security and health events + - Introducing potential vulnerability to unnoticed system issues or security threats + + > **Caution**: + > This action may reduce your system security by preventing Windows from alerting you about + > critical security risks and system issues. + + ### Technical Details + + The script stops push notifications from the Windows Health Center package + (`Windows.SystemToast.SecurityAndMaintenance`) [4] [5]. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + [4]: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ "Disabling Windows 10 Notifications via Group Policy | Platforms, Lync, the Cloud, Oh My! | blogs.technet.microsoft.com" + [5]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" call: - function: SetRegistryValue + function: DisablePushNotifications parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + appUserModelId: Windows.SystemToast.SecurityAndMaintenance + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + # reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.SecurityAndMaintenance" + # reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SecurityAndMaintenance" - - category: Disable device security sections - children: + name: Disable Security and Maintenance taskbar notifications + docs: |- + This script disables Security and Maintenance-related notifications on the Windows taskbar. + + It removes taskbar integrations (AppUserModelId) for Action Center and + Security and Maintenance components [1] [2]. + **Security and Maintenance** was previously known as **Action Center** [3] [4]. + *AppUserModelIds* link processes, files, and windows to specific applications, organizing + them on the Windows taskbar, managing Jump Lists, and controlling pinning [5]. + + This script may enhance privacy by reducing the visibility of security-related information + on your desktop. + It may also slightly improve system performance by disabling these notification processes. + + However, disabling these notifications may reduce your awareness of important security and + maintenance issues. + + > **Caution**: + > Disabling taskbar integrations may leave you unaware of critical security and maintenance + > issues on your system. + + ### Technical Details + + This script removes these AppUserModelIds: + + - `Windows.ActionCenter.UrgentNotification` [1] + - `Windows.SystemToast.SecurityAndMaintenance` [2] + + [1]: https://web.archive.org/web/20240902111830/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240902112132/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [5]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: - - name: Disable "Device security" section in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.ActionCenter.UrgentNotification + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Clear TPM" button in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableClearTpmButton - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SecurityAndMaintenance + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Security and Maintenance notification integrations + docs: |- + This script disables Security and Maintenance integrations that use Component Object Model (COM). + Previously, **Security and Maintenance** was known as **Action Center** [1]. + + *Component Object Model (COM)* enables communication between software components, whether within the + same process, on the same computer, or across different computers [2]. + By removing registry entries for these integrations, the script prevents Windows from creating and using + COM objects related to Security and Maintenance notifications. + + This script may improve privacy by reducing the system's ability to generate and display certain notifications + that may contain sensitive information. + It may slightly improve system performance by stopping some background processes related to security notifications. + + However, this action has significant trade-offs: + + - It disables security and maintenance notifications, which may leave you unaware of important system issues or security threats. + - It prevents certain system health checks from running or reporting their results. + - It may disable parts of the Windows Security Center. + - It may break functionality in third-party security tools that rely on these integrations. + + > **Caution**: + > Disabling these integrations may reduce your awareness of critical system and security issues, leaving your system + > more vulnerable to threats. + + ### Technical Details + + | Type | Name | ID | + | --------- | ------------------------------------------- | --------------------------------- | + | CLSID | Action Center Notification Activator [3] [4] | `A973E7B2-131B-428E-8B2B-EAE73D731E98` [3] [4] | + | CLSID | Security and Maintenance Notification Manager [3] [4] | `a3b3c46c-05d8-429b-bf66-87068b4ce563` [3] [4] | + | CLSID | Security and Maintenance PSFactory [3] [4] | `01afc156-f2eb-4c1c-a722-8550417d396f` [3] [4] | + | Interface | IHCNotificationManager [3] [4] | `01afc156-f2eb-4c1c-a722-8550417d396f` [3] [4] | + | Interface | IHCObjectWithCanonicalName [3] [4] | `824f0d64-069c-4383-9107-f18fc40c3ca6` [3] [4] | + | Interface | IHCCheckProvider [3] [4] | `418ee892-56f0-4c3b-9238-696ba0cef799` [3] [4] | + | Interface | IHCDescriptionAndIcon [3] [4] | `7cbc33db-7a53-45c3-a0cc-610292bd7b9e` [3] [4] | + | Interface | IHCCheck [3] [4] | `FAE9CE59-7621-4208-8BC3-2ACECD58FED2` [3] [4] | + | Interface | IHCCommand [3] [4] | `3d2eafc0-96d0-4925-9f7d-ff80b168f243` [3] [4] | + | Interface | IHCStatus [3] [4] | `b387c51b-7fe4-4252-8cd4-585592b4dc7e` [3] [4] | + | Interface | IHCAction [3] [4] | `e90aad8b-7f0c-480d-b33e-16779c4cf59d` [3] [4] | + | Interface | IHCNotification [3] [4] | `8025d477-47d3-449c-9350-c676140ee829` [3] [4] | + | Interface | IHCCheckCollection [3] [4] | `db62c52c-dbae-476c-aeac-fa9966e85326` [3] [4] | + | Interface | IHCNotificationCollection [3] [4] | `1cf5e433-3cf8-498e-8b5a-f47e23200e07` [3] [4] | + | Interface | IHCCommandCollection [3] [4] | `58d879fe-5b40-46aa-ab68-d146ff6a68a0` [3] [4] | + | Interface | IHCNotificationManagerEventsP [3] [4] | `0acabbb8-8f37-4605-9d41-eec1c33eeb95` [3] [4] | + | Interface | IHCCheckInternalP [3] [4] | `0cc6fe25-a88b-480d-956a-a9a20bd2c65a` [3] [4] | + | Interface | IHCNotificationInternalP [3] [4] | `8db6ae56-7ea1-421c-9c22-d3247c12c6c4` [3] [4] | + | Interface | IHCIconP [3] [4] | `014a1425-828b-482a-a386-5763b23531c3` [3] [4] | + | Interface | IHCNotificationManagerP [3] [4] | `B066DDE3-445D-45dc-BF2A-BC7BAA74C5C5` [3] [4] | + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240903111125/https://learn.microsoft.com/en-us/windows/win32/com/inter-object-communication "Inter-Object Communication - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240902112132/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: - - name: Disable "Secure boot" button in "Windows Security" - docs: |- - [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideSecureBoot - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{A973E7B2-131B-428E-8B2B-EAE73D731E98} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" - docs: |- - [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideTPMTroubleshooting - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{A973E7B2-131B-428E-8B2B-EAE73D731E98} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable "TPM Firmware Update" recommendation in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableTpmFirmwareUpdateWarning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - category: Disable Defender notifications - children: + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{a3b3c46c-05d8-429b-bf66-87068b4ce563} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{01afc156-f2eb-4c1c-a722-8550417d396f} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{824f0d64-069c-4383-9107-f18fc40c3ca6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{824f0d64-069c-4383-9107-f18fc40c3ca6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{418ee892-56f0-4c3b-9238-696ba0cef799} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{418ee892-56f0-4c3b-9238-696ba0cef799} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{7cbc33db-7a53-45c3-a0cc-610292bd7b9e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{7cbc33db-7a53-45c3-a0cc-610292bd7b9e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{FAE9CE59-7621-4208-8BC3-2ACECD58FED2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{FAE9CE59-7621-4208-8BC3-2ACECD58FED2} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{3d2eafc0-96d0-4925-9f7d-ff80b168f243} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{3d2eafc0-96d0-4925-9f7d-ff80b168f243} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{b387c51b-7fe4-4252-8cd4-585592b4dc7e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{b387c51b-7fe4-4252-8cd4-585592b4dc7e} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{e90aad8b-7f0c-480d-b33e-16779c4cf59d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{e90aad8b-7f0c-480d-b33e-16779c4cf59d} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{8025d477-47d3-449c-9350-c676140ee829} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8025d477-47d3-449c-9350-c676140ee829} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{db62c52c-dbae-476c-aeac-fa9966e85326} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{db62c52c-dbae-476c-aeac-fa9966e85326} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{1cf5e433-3cf8-498e-8b5a-f47e23200e07} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{1cf5e433-3cf8-498e-8b5a-f47e23200e07} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{58d879fe-5b40-46aa-ab68-d146ff6a68a0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{58d879fe-5b40-46aa-ab68-d146ff6a68a0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0acabbb8-8f37-4605-9d41-eec1c33eeb95} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0acabbb8-8f37-4605-9d41-eec1c33eeb95} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{0cc6fe25-a88b-480d-956a-a9a20bd2c65a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{0cc6fe25-a88b-480d-956a-a9a20bd2c65a} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{8db6ae56-7ea1-421c-9c22-d3247c12c6c4} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{8db6ae56-7ea1-421c-9c22-d3247c12c6c4} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{014a1425-828b-482a-a386-5763b23531c3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{014a1425-828b-482a-a386-5763b23531c3} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\Interface\{B066DDE3-445D-45dc-BF2A-BC7BAA74C5C5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\Interface\{B066DDE3-445D-45dc-BF2A-BC7BAA74C5C5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - category: Disable Windows Security notifications - docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications - children: + name: Disable all Security and Maintenance notifications + docs: |- + This script disables all Security and Maintenance notifications in Windows, + potentially enhancing privacy but also reducing system security awareness. + + **Security and Maintenance** was formerly called **Action Center** [1]. + This interface manages and centralizes Windows security and maintenance settings [2] [3] [4] + It notifies users about key system events, security risks, and maintenance issues [2] [3]. + Windows automatically checks for security and maintenance issues and sends notifications by default [2]. + + This script disables notifications for: + + - **Security messages:** + Windows Update, Internet security settings, Network firewall, Microsoft account + Spyware and unwanted software protection, User Account Control, Virus protection, Windows activation [2] + - **Maintenance messages:** + Windows Backup, Automatic Maintenance, Drive status, Device software, Startup apps, + Windows Troubleshooting, HomeGroup, File History, Storage Spaces, Work Folders [2] + + Disabling these notifications may improve privacy by hiding system health and security details. + It may slightly improve system performance by stopping these alerts from being processed and shown. + + However, disabling these notifications may reduce security by: + + - Reducing awareness of critical security or health events + - Potentially leaving the system vulnerable to unnoticed threats or issues + - Preventing Windows from alerting you about important system maintenance needs + + > **Caution:** + > Disabling these notifications may significantly reduce your awareness of critical system and security issues, + > potentially increasing your system's vulnerability to threats. + + ### Technical Details + + This script removes or modifies the following registry keys: + + - `HKLM\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers` [5] [6] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks` [5] [6] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers` [6] [7] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks` (outdated) [8] [9] [10] + - `HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers` (outdated) [11] + + These registry keys are linked to `ActionCenter.dll` [6] [12], + which is part of the **Security and Maintenance** component [12]. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://archive.ph/2024.09.05-145003/https://www.tenforums.com/tutorials/107172-backup-restore-security-maintenance-settings-windows-10-a.html "Backup and Restore Security and Maintenance Settings in Windows 10 | Tutorials | www.tenforums.com" + [3]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [4]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + [5]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [6]: https://web.archive.org/web/20240905144852/https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/System32/ActionCenter.dll.strings "10_0_22623_1020/C/Windows/System32/ActionCenter.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 ยท privacysexy-forks/10_0_22623_1020 | github.com" + [7]: https://web.archive.org/web/20240905144727/https://daniosvet.ru/c/kak-otkluchit-uvedomleniya-centra-bezopasnosti-v-windows-10-cherez-reestr "How to disable security center notifications in Windows 10 via registry | daniosvet.ru" + [8]: https://web.archive.org/web/20100823045314/http://social.technet.microsoft.com:80/Forums/en-US/w7itproui/thread/83dc3de6-70b7-450f-992c-60511e4a6c4f "How can I turn off messages for certain Action Center items? | social.technet.microsoft.com" + [9]: https://web.archive.org/web/20240905144738/https://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-turn-off-the-backup-notification-in-the-windows-7-actions-center/ "How to use Group Policy to turn off the Backup Notification in the Windows 7 Actions Center โ€“ Group Policy Central | www.grouppolicy.biz" + [10]: https://web.archive.org/web/20240905144812/https://randoltech.blogspot.com/2015/06/registry-settings-for-action-center.html "RandolTech: Registry Settings for Action Center alerts | randoltech.blogspot.com" + [11]: https://github.com/privacysexy-forks/Winapp2/blob/master/Winapp2.ini "Winapp2/Winapp2.ini at master ยท privacysexy-forks/Winapp2 | github.com" + [12]: https://web.archive.org/web/20240905145907/https://strontic.github.io/xcyclopedia/library/ActionCenter.dll-4B9995C71B4C41ECE5C8A165A6CED82E "ActionCenter.dll | Security and Maintenance | STRONTIC | strontic.github.io" + call: - - name: Disable all Defender notifications - docs: - - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) - - name: Disable non-critical Defender notifications - docs: - - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Providers + - + category: Disable Windows Security notifications + docs: |- + This category provides options to disable various notifications from **Windows Security**. + + Windows Security, built into Windows, provides a centralized interface for managing security settings and viewing + system status [1] [2]. + It was first introduced in Windows 10, version 1703 [1]. + Initially, it was called **Windows Defender Security Center** [1]. + It displays notifications via the **Notification Center** [1] (formerly **Action Center** [3] [4]). + + Windows Security notifications inform users about device health and security, including firewall updates, + antivirus status, and **Defender SmartScreen** [2]. + These notifications are meant to inform users of potential security risks, but some may find them intrusive or unnecessary. + + Disabling these notifications may: + + - Improve privacy by reducing visible security information that may be sensitive. + - Slightly boost system performance by reducing background processes. + + However, disabling these notifications has significant trade-offs: + + - You may miss critical security alerts, leaving your system vulnerable. + - You may be unaware of important updates or actions needed to maintain security. + + > **Caution**: + > Disabling Windows Security notifications may reduce your awareness of critical security events and vulnerabilities. + > Only consider this action if you have alternative security measures in place, such as other monitoring tools or + > strong security practices. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications "Hide notifications from Windows Security | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_11 "How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + children: - - name: Disable security and maintenance notifications # For Windows 10 build 1607 and above - docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ + name: Disable all Windows Security notifications + docs: |- + This script disables all notifications generated by Windows Security. + + **Windows Security** is a built-in Windows feature that offers a unified interface for various + security products, including **Defender Antivirus** [1]. + This interface was previously called **Security Center** [1]. + + By default, local users are notified by Windows Security [2] [3]. + This script blocks these notifications [2] [3]. + + This script may enhance your privacy by reducing visible security-related information on your screen. + It may also slightly improve system performance by reducing the processing and display of these notifications. + However, disabling these notifications will decrease your awareness of critical security events. + + > **Caution**: Disabling security notifications will leave you unaware of critical security issues on your system. + + ### Technical Details + + The script performs the following actions: + + - Disables push notifications from the Windows Security Center package + (`Windows.SystemToast.SecurityCenter`) [4]. + - Configures Group Policy to disable notifications + `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications!DisableNotifications` [2] [3]. + - Modifies user interface settings to prevent the display of notifications via + `HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications` [5]. + + [1]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenotifications "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240902101758/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications "Hide all notifications | admx.help" + [4]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [5]: https://web.archive.org/web/20240513222301/https://www.elevenforum.com/t/enable-or-disable-all-windows-security-notifications-in-windows-11.13321/ "Enable or Disable All Windows Security Notifications in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" call: - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance - valueName: Enabled - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: DisablePushNotifications + parameters: + appUserModelId: Windows.SystemToast.SecurityCenter + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + # reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.SystemToast.SecurityCenter" + # reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SecurityCenter" - - name: Disable all Defender Antivirus notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress + name: Disable non-critical Windows Security notifications + docs: + - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications call: - function: SetRegistryValue parameters: - keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Windows Security taskbar notifications + docs: |- + This script disables Windows Security-related notifications on the Windows taskbar. + + It removes taskbar integrations (AppUserModelId) for Windows Security components [1] [2]. + Windows Security is also called **Security Center** in older versions of Windows [3]. + *AppUserModelIds* link processes, files, and windows to specific applications, organizing them + on the Windows taskbar, managing Jump Lists, and controlling pinning [4]. + + This script may enhance privacy by reducing the visibility of security-related information on your desktop. + It may also slightly improve system performance by disabling these notification processes. + + However, disabling these notifications may reduce your awareness of important security issues. + + > **Caution**: + > Disabling taskbar integrations may leave you unaware of critical security issues on your system. + + ### Technical Details + + This script removes these AppUserModelIds: + + - `Windows.SystemToast.SecurityCenter` [1] + - `Windows.Defender.SecurityCenter` [2] + + [1]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240902112044/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/SecurityHealthAgent.dll.strings "10_0_22622_601/C/Windows/System32/SecurityHealthAgent.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d ยท privacysexy-forks/10_0_22622_601 | github.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.SystemToast.SecurityCenter + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.Defender.SecurityCenter + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + category: Disable Defender Antivirus notifications + docs: |- + This category contains scripts to disable various notifications from Defender Antivirus. + + **Defender Antivirus**, built into Windows, protects your device from malware and + other threats [1]. + It analyzes your data using machine learning and cloud-based protection technologies [1]. + This data analysis raises privacy concerns. + + Key features of Defender Antivirus include: + + - Real-time protection against known and new threats [1] + - Behavior-based detection to identify suspicious activities [1] + + Defender Antivirus typically sends notifications when: + + - Scans are completed (both scheduled and manual) [2] + - Threats are detected [2] + - System status changes occur [2] + + These notifications appear on your device and in the **Notification Center** [2] + (previously known as the **Action Center** [3]). + + Disabling these notifications may: + + - Enhance privacy by reducing visible information about your system's security status + - Improve system performance by reducing background processes + + However, disabling notifications may: + + - Lower your awareness of security threats + - Increase the risk of unnoticed malware or system issues + + The scripts in this category apply to both the standard **Defender Antivirus** and + the **Defender for Endpoint** suite [1] [2]. + + > **Caution**: + > Disabling security notifications may prevent you from noticing critical system threats. + > This may reduce your security if you do not have alternative measures in place. + + [1]: https://web.archive.org/web/20240728184012/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240905102312/https://learn.microsoft.com/en-us/defender-endpoint/configure-notifications-microsoft-defender-antivirus "Configure Microsoft Defender Antivirus notifications - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + children: + - + name: Disable Defender Antivirus push notifications + docs: |- + This script disables notifications from Defender Antivirus. + + By default, Defender Antivirus notifies you of potential threats and system status [1] [2]. + This script disables these notifications [1] [2]. + + Disabling these notifications may enhance privacy by limiting visible information on your + system's security status. + It may also slightly improve system performance by reducing background processes related to + notification display. + However, this action may reduce your security awareness, potentially leaving your system vulnerable to + unnoticed threats such as malware. + + > **Caution**: + > Disabling notifications reduces your awareness of security alerts, which may compromise system security. + + ### Technical Details + + The script: + - Configures group policy to suppress notifications by setting + `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration!Notification_Suppress` [1] [2] + - Stops push notifications from the Windows Defender UI package + (`Windows.Defender`) [3] + + [1]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#ux_configuration_notification_suppress "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240902105942/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress "Suppress all notifications | admx.help" + [3]: https://web.archive.org/web/20240902105452/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_windows-defender-ui_31bf3856ad364e35_10.0.22621.1_none_81f39428081c6a33.manifest "nickel-x64/WinSxS/Manifests/wow64_windows-defender-ui_31bf3856ad364e35_10.0.22621.1_none_81f39428081c6a33.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: - function: SetRegistryValue parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration valueName: Notification_Suppress dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: DisablePushNotifications + parameters: + appUserModelId: Windows.Defender + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + # reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\Windows.Defender" + # reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.Defender" - - name: Disable Defender reboot notifications + name: Disable Defender Antivirus reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification call: function: SetRegistryValue @@ -19604,10 +22504,580 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Antivirus taskbar notifications + docs: |- + This script disables Defender Antivirus-related notifications on the Windows taskbar. + + It removes taskbar integrations (AppUserModelId) for Defender components [1]. + *AppUserModelIds* link processes, files, and windows to specific applications, organizing + them on the Windows taskbar, managing Jump Lists, and controlling pinning [2]. + + This script may enhance privacy by reducing the visibility of antivirus-related information + on your desktop. + It may also slightly improve system performance by disabling these notification processes. + + However, disabling these notifications may reduce your awareness of important antivirus issues. + + > **Caution**: + > Disabling taskbar integrations may leave you unaware of critical antivirus issues on your + > system. + + ### Technical Details + + This script removes these AppUserModelIds: + + - `Microsoft.Windows.Defender` [1] + - `Windows.Defender` [1] + + [1]: https://web.archive.org/web/20240902111830/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-notificationcontroller_31bf3856ad364e35_10.0.22621.1_none_64a0a52f2d3be444.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [2]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.Defender + - + category: Disable Security and Maintenance + docs: |- + This category includes scripts that disable various components of the + **Security and Maintenance** feature. + + **Security and Maintenance** was previously known as **Action Center** [1] [2]. + This feature provides a central interface for managing Windows security and maintenance settings [1] [2]. + It monitors and reports on system health, including security threats, software updates, and hardware issues [3]. + + Disabling these components enhances privacy by reducing system monitoring and data collection associated with + security and maintenance. + This may also improve system performance by stopping background processes associated with these functions. + + However, disabling these components can significantly impact system security. + It limits the system's ability to alert users to potential threats, vulnerabilities, and critical + maintenance issues. + This may make the system more vulnerable to security risks if not properly managed. + + > **Caution**: + > Disabling Security and Maintenance features may leave your system more vulnerable to security threats + > and maintenance issues. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + children: + - + name: Disable Security and Maintenance core library + docs: |- + This script disables the Security and Maintenance library, a core component of + Windows security monitoring. + + **Security and Maintenance** was formerly known as **Action Center** [1]. + It is a central interface for managing Windows security and maintenance settings [2] [3]. + By default, Windows automatically checks for security and maintenance issues and sends notifications + via this interface [2]. + + This script disables the `ActionCenter.dll` library, which is responsible for: + + - Managing security and maintenance notifications [4] + - Processing and caching system health notifications [4] + - Handling the icon and its tooltips in the system tray [4] + - Interacting with various Windows components to check system health status [4] + - Launching the Control Panel applet for Security and Maintenance [4] + - Creating and managing toast notifications for security and maintenance issues [4] + - Interfacing with Windows event logs to gather system health information [4] + - Handling user interactions with notifications and the interface [4] + - Managing settings related to security and maintenance checks [4] + + Disabling this library may enhance privacy by reducing system monitoring and data collection + related to security and maintenance activities. + It may also improve system performance by stopping background processes related to these functions. + + However, disabling this library will impair the functionality of Security and Maintenance [5]. + It reduces system security by disabling important notifications about potential + threats and system vulnerabilities. + This change also complicates the management of security settings, potentially making it harder + for users to maintain a secure system. + + > **Caution**: + > This action may leave your system more vulnerable to security threats and maintenance issues if not carefully managed. + + ### Technical Details + + This script removes the `ActionCenter.dll` file [4] [5] [6]. + This file belongs to **Security and Maintenance** [6]. + The name of the files comes from *Action Center* which was the previous name + of *Security and Maintenance* [1]. + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://archive.ph/2024.09.05-145003/https://www.tenforums.com/tutorials/107172-backup-restore-security-maintenance-settings-windows-10-a.html "Backup and Restore Security and Maintenance Settings in Windows 10 | Tutorials | www.tenforums.com" + [3]: https://web.archive.org/web/20240630202431/http://hs.windows.microsoft.com/hhweb/content/m-en-us/p-6.2/id-bbeaaca4-c6ae-47f8-8f2f-03deadf80271/ "What is Action Center? | hs.windows.microsoft.com" + [4]: https://web.archive.org/web/20240905145907/https://strontic.github.io/xcyclopedia/library/ActionCenter.dll-4B9995C71B4C41ECE5C8A165A6CED82E "ActionCenter.dll | Security and Maintenance | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20150920214245/http://www.sevenforums.com/general-discussion/37592-disable-action-center-notifications-2.html "Disable Action Center notifications - Page 2 - Windows 7 Forums | www.sevenforums.com" + [6]: https://web.archive.org/web/20240905144852/https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/System32/ActionCenter.dll.strings "10_0_22623_1020/C/Windows/System32/ActionCenter.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 ยท privacysexy-forks/10_0_22623_1020 | github.com" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\ActionCenter.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\ActionCenter.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Security and Maintenance Control Panel applet + docs: |- + This script disables the **Security and Maintenance** feature in the Windows Control Panel. + + Security and Maintenance (previously **Action Center** [1] [2]) is a central interface + for managing Windows security and maintenance settings [2] [3]. + + It controls: + + - Security components such as *firewall*, *Internet security settings*, and *User Account Control (UAC)* [3] + - Maintenance features as *automatic Maintenance*, *drive status*, and *file history* [3] + + This interface also displays relevant notifications [3]. + + After running this script, **Security and Maintenance** will be disabled and inaccessible. + This enhances privacy by limiting the system's ability to monitor and report on security and maintenance issues. + It may slightly improve system performance by disabling related background processes. + + However, this change may reduce overall system security and make managing important security settings more difficult. + You will need to monitor and adjust these settings manually. + + > **Caution**: Disabling this feature may increase vulnerability to security threats and maintenance + > issues unless carefully managed. + + ### Technical Details + + This script removes: + + - COM registrations for the application CLSID `BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6` [4] + - DLL files `ActionCenterCPL.dll` [4] + - Executable Control Panel item registration for the CLSID `BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6` [5] + + [1]: https://web.archive.org/web/20240829174309/https://support.microsoft.com/en-us/windows/find-action-center-in-windows-10-eda89d84-0676-1fad-36e9-e9aa0c5cc937 "Find action center in Windows 10 - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20190113102952/https://blogs.msdn.microsoft.com/oldnewthing/20170516-00/?p=96165 "Thereโ€™s a group policy for Action Center, and another one for Action Center โ€“ The Old New Thing | blogs.msdn.microsoft.com" + [3]: https://web.archive.org/web/20240829174408/https://www.thewindowsclub.com/turn-off-security-and-maintenance-messages-in-windows-10 "Turn off Security and Maintenance notifications in Windows 11 | www.thewindowsclub.com" + [4]: https://web.archive.org/web/20240829174447/https://strontic.github.io/xcyclopedia/library/clsid_BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6.html "CLSID BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6 | Security and Maintenance CPL | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240829174323/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/hh127450(v=vs.85) "How to Register Executable Control Panel Items (Windows) | Microsoft Learn | learn.microsoft.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\ActionCenterCPL.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\SysWOW64\ActionCenterCPL.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Security and Maintenance desktop features + docs: |- + This script disables the Security and Maintenance desktop integration in Windows. + + Windows automatically loads certain applications at startup using **Shell Service Objects** [1]. + These objects are loaded early during startup by `explorer.exe`, the core shell for Windows [1]. + Shell Service Objects handle tasks like file management, system operations, and user interface interactions [2]. + + The script removes the **Security and Maintenance Shell Service Object** [3] [4]. + This object shows security and health notifications on your desktop. + Disabling this may reduce certain Security and Maintenance capabilities, such as specific file operations, + window management, system tasks, service control, help functions, security dialogs, shell integration, + and application search [2]. + + Disabling this integration may: + + - Enhance privacy by reducing the visibility of security and health-related information on your desktop. + - Improve system performance by reducing system resource usage associated with these notifications. + + However, disabling notifications may reduce your awareness of important security and health issues. + + > **Caution:** + > This script may result in losing access to certain **Security and Maintenance** features + > and missing important security alerts. + + ### Technical Details + + This script removes the following components: + + - **Security and Maintenance Shell Service Object** with CLSID: + `F56F6FDD-AA9D-4618-A949-C1B91AF43B1A` [3] [4] + - The associated registry key: + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}` [3] [4] + + [1]: https://web.archive.org/web/20240904131019/https://www.boostbyreason.com/resource-startups-ShellServiceObjectDelayLoads.aspx "Shell service object delay loads - Boost Your Slow PC. | www.boostbyreason.com" + [2]: https://web.archive.org/web/20240904131043/https://learn.microsoft.com/en-us/windows/win32/shell/shell "Shell object (Shldisp.h) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240902104634/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest "nickel-x64/WinSxS/Manifests/wow64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_174798398bf36de7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [4]: https://web.archive.org/web/20240902112132/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-healthcenter_31bf3856ad364e35_10.0.22621.1_none_0cf2ede75792abec.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} + - + name: Disable Defender Firewall Control Panel applet + docs: |- + This script disables the Windows Defender Firewall Control Panel applet, restricting access + to firewall settings through this specific interface. + + The Windows Defender Firewall Control Panel applet is a tool for configuring the Defender Firewall [1]. + It can be accessed by typing `firewall.cpl` in the **Start** menu and pressing **Enter** [1]. + + Disabling this applet enhances security by reducing the attack surface and potential vulnerabilities in the + firewall's configuration interface. + This action preserves your firewall settings by blocking modifications through the Control Panel applet. + It may also slightly boost system performance by eliminating unnecessary components. + + > **Caution**: + > Disabling this applet removes a user-friendly interface for configuring the firewall. + > Users can still manage firewall settings through other means, such as PowerShell or + > the **Windows Security** app. + + ### Technical Details + + The script removes the following components: + + - Windows Defender Firewall Control Panel [2] (File Path: `%WINDIR\System32\FirewallControlPanel.dll` [2] [3] [4] [5] [6]) + - Virtual Factory for Windows Defender Firewall CPL class [3] (CLSID: `A4B07E49-6567-4FB8-8D39-01920E3B2357` [3]) + - Virtual Factory for Windows Defender Firewall CPL app [3] (AppID: `A4B07E49-6567-4FB8-8D39-01920E3B2357` [3]) + - `FirewallControlPanel.dll` COM class (CLSID: `1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1` [4]) + - FwCpl LUA class (CLSID: `752438CB-E941-433F-BCB4-8B7D2329F0C8` [5]) + - FwCpl LUA app (AppID: `6571503D-D0FB-4D98-BBC3-1FBB2B3F344E` [5]) + - FwCpl LUA type library (TypeLib: `B9C76E7B-D029-44EB-896F-F02FC6E9ABD5` [5]) + - Firewall Control Panel class (CLSID: `{DDECE4B2-979F-4CDB-9F58-B036FE5A510C}` [6]) + + [1]: https://web.archive.org/web/20240831142406/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/tools#control-panel "Windows Firewall tools | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831142607/https://strontic.github.io/xcyclopedia/library/FirewallControlPanel.dll-751214B2EB569EABF97659975725A321.html "FirewallControlPanel.dll | Windows Defender Firewall Control Panel | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240831142413/https://strontic.github.io/xcyclopedia/library/clsid_A4B07E49-6567-4FB8-8D39-01920E3B2357.html "CLSID A4B07E49-6567-4FB8-8D39-01920E3B2357 | Virtual Factory for Windows Defender Firewall Cpl | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240831142428/https://strontic.github.io/xcyclopedia/library/clsid_1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1.html "CLSID 1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1 | (C:\Windows\System32\FirewallControlPanel.dll) | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240831142524/https://strontic.github.io/xcyclopedia/library/clsid_752438CB-E941-433F-BCB4-8B7D2329F0C8.html "CLSID 752438CB-E941-433F-BCB4-8B7D2329F0C8 | FwCpl LUA | STRONTIC | strontic.github.io" + [6]: https://web.archive.org/web/20240831142527/https://strontic.github.io/xcyclopedia/library/clsid_DDECE4B2-979F-4CDB-9F58-B036FE5A510C.html "CLSID DDECE4B2-979F-4CDB-9F58-B036FE5A510C | Firewall Control Panel | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%WINDIR%\System32\FirewallControlPanel.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{1CD0938D-1AC1-49DE-AA04-F2C92D4A02D1} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\AppId\{A4B07E49-6567-4FB8-8D39-01920E3B2357} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{752438CB-E941-433F-BCB4-8B7D2329F0C8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{752438CB-E941-433F-BCB4-8B7D2329F0C8} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{6571503D-D0FB-4D98-BBC3-1FBB2B3F344E} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\AppId\{6571503D-D0FB-4D98-BBC3-1FBB2B3F344E} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{B9C76E7B-D029-44EB-896F-F02FC6E9ABD5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\TypeLib\{B9C76E7B-D029-44EB-896F-F02FC6E9ABD5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{DDECE4B2-979F-4CDB-9F58-B036FE5A510C} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Firewall "Windows Defender Firewall with Advanced Security" + docs: |- + This script disables the **Windows Defender Firewall with Advanced Security (WFAS)** management interface. + + The Windows Defender Firewall with Advanced Security (WFAS) is a Microsoft Management Console (MMC) snap-in + offering advanced configuration options for your firewall [1]. + It can be accessed locally or through group policies by typing `wf.msc` in the Start menu [1]. + + The **Microsoft Management Console (MMC)** acts as a toolbox for managing various Windows components, + including hardware, software, and network settings [2]. + A **snap-in** is a specific type of tool within this MMC toolbox [2]. + + Disabling WFAS may enhance privacy by removing an interface that could be used for network monitoring. + It may also slightly boost system performance by reducing background processes. + + However, this action removes a user-friendly interface for configuring the firewall. + It may reduce your security by making firewall management more difficult to access. + + This script disables only the WFAS interface, not the firewall itself. + Firewall settings can still be managed through other methods, such as PowerShell or Windows Security. + + > **Caution**: + > This script removes a user-friendly tool for managing the firewall, potentially making it harder to control computer security settings. + + ### Technical Details + + This script removes: + + - **Windows Defender Firewall with Advanced Security Group Policy Editor Extension** [3] [4] + - File path: `%WINDIR%\System32\AuthFWGP.dll` [3] [5] + - File path: `%WINDIR%\SysWOW64\AuthFWGP.dll` [4] + - **Windows Defender Firewall with Advanced Security** [5] [6] COM class + - CLSID: `023A36FC-E9D5-419E-824A-CDC66A116E84` [5] + - CLSID: `0E752416-F29E-4195-A9DD-7F0D4D5A9D71` [6] + + [1]: https://web.archive.org/web/20240831142406/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/tools#windows-defender-firewall-with-advanced-security "Windows Firewall tools | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240831144214/https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console "What is MMC - Windows Server | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240831144246/https://strontic.github.io/xcyclopedia/library/AuthFWGP.dll-AEC29DD818090C5FC3274179EF262D1A.html "AuthFWGP.dll | Windows Defender Firewall with Advanced Security Group Policy Editor Extension | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20240831144435/https://strontic.github.io/xcyclopedia/library/AuthFWGP.dll-2F4C8AA2A2AFD38A08B3C108F4E537F4.html "AuthFWGP.dll | Windows Defender Firewall with Advanced Security Group Policy Editor Extension | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240831144232/https://strontic.github.io/xcyclopedia/library/clsid_023A36FC-E9D5-419E-824A-CDC66A116E84.html "CLSID 023A36FC-E9D5-419E-824A-CDC66A116E84 | Windows Defender Firewall with Advanced Security | STRONTIC | strontic.github.io" + [6]: https://web.archive.org/web/20240831144427/https://strontic.github.io/xcyclopedia/library/clsid_0E752416-F29E-4195-A9DD-7F0D4D5A9D71.html "CLSID 0E752416-F29E-4195-A9DD-7F0D4D5A9D71 | Windows Defender Firewall with Advanced Security | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%WINDIR%\System32\AuthFWGP.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%WINDIR%\SysWOW64\AuthFWGP.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{023A36FC-E9D5-419E-824A-CDC66A116E84} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{023A36FC-E9D5-419E-824A-CDC66A116E84} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable outdated "Windows Defender Security Center" interface + docs: |- + This script disables outdated Defender Antivirus user interface components. + + The **Windows Defender User Experience Host** managed communication between Windows components and apps, + including the discontinued Windows Defender Security Center [1]. + This interface is not present in modern Windows versions, so this script will not affect recent Windows systems. + + Disabling this component may enhance privacy on older systems by reducing monitoring and data + collection from the Defender components. + It helps maintain control over privacy preferences and reduces the risk of unintended changes. + This action may also improve system performance by stopping processes that use system resources. + Removing obsolete software reduces the potential attack surface, aligning with security best practices. + + However, this action may reduce system security if you are using older versions of Windows. + Carefully weigh the privacy benefits against potential security risks before applying this script. + + > **Caution**: This script limits the Defender user interface on older Windows versions. + + ### Technical Details + + This script removes several components related to the Windows Defender User Experience (`MpUx`), including: + + - MP UX Host (AppID: `FDA74D11-C4A6-4577-9F73-D7CA8586E10D`) [2] + - MP UX Host [3] [4] (CLSID: `FDA74D11-C4A6-4577-9F73-D7CA8586E10D`) [2] [3] [4] [5] + - WD modern host server [1] [4] (File: `%PROGRAMFILES%\Windows Defender\MpUXSrv.exe` [4]) + - Defender MpUxAgent [6] (File: `%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MPUXAGENT.DLL` [5] [7]) + - Defender MpUxAgent (CLSID: `4DB116D1-9B24-4DFC-946B-BFE03E852002` [5] [7]) + - Defender MpUxAgent (CLSID: `2DCD7FDB-8809-48E4-8E4F-3157C57CF987}` [5] [7]) + - Defender Data Loss Prevention UI (Application User Model ID: `Windows.Defender.MpUxDlp` [5]) + - MpUx Agent Host [5] [8] (AppID: `1111a26d-ef95-4a45-9f55-21e52adf9887` [5] [8]) + - COM Proxy for mpuxhost (MP Modern shell host) [9] (file: `%PROGRAMFILES%\Windows Defender\mpuxhostproxy.dll` [3] [7]) + - PSFactoryBuffer [3] (CLSID: `13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8` [2] [3] [7]) + - PSFactoryBuffer [3] (CLSID: `94F35585-C5D7-4D95-BA71-A745AE76E2E2` [2] [3]) + + Tests confirm that these components are not present in Windows versions from Windows 10 19H1 and Windows 11 21H2 onwards. + + [1]: https://web.archive.org/web/20240830202122/https://www.spyshelter.com/exe/microsoft-windows-mpuxsrv-exe/ "What is MpUXSrv.exe (WD modern host server)? 4 reasons to/NOT trust it | www.spyshelter.com" + [2]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.1_none_7b973051f62a1a6d/MpCmdRun.exe.strings "10_0_19045_2251/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.1_none_7b973051f62a1a6d/MpCmdRun.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf ยท privacysexy-forks/10_0_19045_2251 | github.com" + [3]: https://web.archive.org/web/20240830202035/https://wikileaks.org/ciav7p1/cms/page_13762818.html "CLSIDs Windows 8.1 Enterprise x64 with Office 2013 | wikileaks.org" + [4]: https://github.com/privacysexy-forks/r2com/blob/master/clsids.json "r2com/clsids.json at master ยท privacysexy-forks/r2com | github.com/privacysexy-forks" + [5]: https://web.archive.org/web/20240831105355/https://hypedisenio.blogspot.com/2011/07/diseno-hola-todos-los-interesados-en.html "hypedisenio: Diseรฑo: Hola a todos los interesados en sitios de divulgac... | hypedisenio.blogspot.com" + [6]: https://web.archive.org/web/20240831105406/https://manalyzer.org/report/705f5d24ef8780386e98d6d0b50b0a70 "Manalyzer :: 705f5d24ef8780386e98d6d0b50b0a70 | manalyzer.org" + [7]: https://github.com/privacysexy-forks/Trawler/blob/main/trawler.ps1 "Trawler/trawler.ps1 at main ยท privacysexy-forks/Trawler | github.com" + [8]: https://web.archive.org/web/20240923153453/https://github.com/privacysexy-forks/windows-com-objects/blob/ff00b455604546b70c8bb7c200823332af96e641/Data/CASE_Windows10_20H2/comx86/comAppId.csv "windows-com-objects/Data/CASE_Windows10_20H2/comx86/comAppId.csv at ff00b455604546b70c8bb7c200823332af96e641 ยท privacysexy-forks/windows-com-objects | github.com" + [9]: https://archive.ph/2024.08.31-105522/https://www.dllme.com/dll/files/mpuxhostproxy "mpuxhostproxy.dll : Free .DLL download. | www.dllme.com" + [10]: https://web.archive.org/web/20240830202110/https://www.herdprotect.com/mpuxsrv.exe-8bc4fa864c753f26969a98a6ba42553e16982c51.aspx "Malware scan of MpUxSrv.exe (WD modern host server) 8bc4fa864c753f26969a98a6ba42553e16982c51 - herdProtect | www.herdprotect.com" + call: + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + fileGlob: '%PROGRAMFILES%\Windows Defender\MpUXSrv.exe' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\Software\Classes\AppID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\Software\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10D} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMDATA%\Microsoft\Windows Defender\Platform\*\MPUXAGENT.DLL' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\AppUserModelId\Windows.Defender.MpUxDlp + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\AppID\{1111a26d-ef95-4a45-9f55-21e52adf9887} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteFiles + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%PROGRAMFILES%\Windows Defender\mpuxhostproxy.dll' + elevateToTrustedInstaller: 'true' # Unable to test, but usually files in this folder requires TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{13F6A0B6-57AF-4BA7-ACAA-614BC89CA9D8} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 21H2) | โŒ Windows 11 Pro (โ‰ฅ 19H1) + keyPath: HKLM\SOFTWARE\Classes\CLSID\{94F35585-C5D7-4D95-BA71-A745AE76E2E2} + elevateToTrustedInstaller: 'true' # Unable to test, but usually Defender AppIDs require TrustedInstaller - category: Disable Defender Exploit Guard docs: |- - This category disables Windows Defender Exploit Guard, potentially enhancing privacy and + This category disables Defender Exploit Guard, potentially enhancing privacy and system performance. Exploit Guard is also called **Windows Defender Exploit Guard** [1] [2] [3] [4] [5] @@ -19621,7 +23091,7 @@ actions: It also increases user autonomy by enabling choices about which programs, scripts, and websites can connect without automatic intervention. - Disabling Exploit Guard may reduce protection against certain types of attacks. + However, disabling Exploit Guard may reduce protection against certain types of attacks. Users should carefully weigh the trade-offs between enhanced privacy/performance and potential security risks when disabling this feature. @@ -19641,7 +23111,7 @@ actions: They can also be remotely configured and set up in managed environments, such as enterprise organizations [2]. Disabling Exploit Guard can affect local or organizational configurations, such as those set by schools or employers. - Defender Antivirus is the built-in antimalware component in Windows [5]. + **Defender Antivirus** is the built-in antimalware component in Windows [5]. Exploit Guard operates independently from Defender Antivirus [5]. However, some features, like Attack Surface Reduction, depend on Defender Antivirus to function [1]. Exploit Guard may also require Defender Antivirus for some of its configurations [6]. @@ -19726,6 +23196,148 @@ actions: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' taskPathPattern: \Microsoft\Windows\ExploitGuard\ taskNamePattern: ExploitGuard MDM policy Refresh + - + category: Disable outdated Defender Application Guard + docs: |- + This category provides scripts to disable the deprecated Defender Application Guard, a feature + originally designed to protect business environments. + + Defender Application Guard is also referred to as **Microsoft Defender Application Guard (MDAG)** [1]. + It was formerly known as Windows Defender Application Guard [2]. + It uses hardware isolation to protect against internet-based attacks [1]. + It creates Hyper-V-enabled containers to isolate potentially harmful content [1]. + + MDAG consists of two main components: + + | Component | Description | + | --------- | ----------- | + | **Application Guard for Edge** [3] | Isolates untrusted websites in a separate container [1] | + | **Application Guard for Office** [3] | Opens untrusted Word, PowerPoint, and Excel files in an isolated environment [1] | + + Microsoft deprecated MDAG in 2023 and no longer provides updates [1] [3]. + Despite this, its components remain present in modern Windows computers [4]. + + Disabling MDAG can enhance privacy by reducing data collection associated with this feature. + It can also improve system performance by eliminating the overhead of running isolated containers. + Furthermore, it can increase security by removing outdated software and reducing your attack surface. + + However, disabling MDAG may reduce some security protections, particularly for enterprise users. + It may also affect functionality on work or school computers that rely on this feature. + + > **Caution**: + > Disabling this feature may decrease security in Edge and Office, and interfere with enterprise settings. + + [1]: https://web.archive.org/web/20240830165604/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview "Microsoft Defender Application Guard | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830165525/https://www.microsoft.com/en-us/security/blog/2017/10/23/making-microsoft-edge-the-most-secure-browser-with-windows-defender-application-guard/ "Making Microsoft Edge the most secure browser with Windows Defender Application Guard | Microsoft Security Blog | www.microsoft.com" + [3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240830165507/https://strontic.github.io/xcyclopedia/library/clsid_F80FC80C-6A04-46FB-8555-D769E334E9FC.html "CLSID F80FC80C-6A04-46FB-8555-D769E334E9FC | WindowsDefenderApplicationGuardCSP | STRONTIC | strontic.github.io" + children: + - + name: Disable Defender Application Guard isolation + recommend: null # Though outdated, it is significant security feature + docs: |- + This script disables the deprecated Defender Application Guard feature, which + isolates applications to enhance security. + + Application Guard uses **Windows Hypervisor** to create a secure virtual environment for certain apps [1]. + This isolation protects the system kernel and other applications from threats due to improper user + interactions or vulnerabilities in isolated apps [1]. + Microsoft deprecated the Application Guard feature in 2023 and no longer provides updates [2]. + + Disabling this feature may improve privacy by reducing system monitoring of application behavior in isolated + environments. + It can also boost system performance by freeing resources allocated to virtualization. + Additionally, it may increase security by removing deprecated software and reducing your attack surface. + However, it may also reduce security by removing a protective layer against threats from untrusted sources. + + > **Caution:** + > Disabling Application Guard may expose your system to increased security risks from malicious applications. + + ### Technical Details + + This script sets the registry value `AllowAppHVSI_ProviderSet` to `0` in the `HKLM\SOFTWARE\Policies\Microsoft\AppHVSI` + key, effectively disabling the Defender Application Guard [1] [3]. + + [1]: https://web.archive.org/web/20240830171011/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AllowAppHVSIConfig "Turn on Microsoft Defender Application Guard in Managed Mode | admx.help" + [2]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240830171005/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp#settingsallowwindowsdefenderapplicationguard "WindowsDefenderApplicationGuard CSP | Microsoft Learn | learn.microsoft.com" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI + valueName: AllowAppHVSI_ProviderSet + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable Defender Application Guard remote configuration + recommend: strict # Deprecated feature: No security benefits, potential privacy risks for personal use + docs: |- + This script disables Defender Application Guard's remote configuration capability. + + Defender Application Guard uses virtualization to isolate untrusted websites and files [1]. + As of 2023, Microsoft has discontinued support and updates for the Application Guard feature [2]. + + This feature can be configured remotely using tools like Microsoft Intune [3]. + Remote management of this feature is done through Configuration Service Providers (CSPs) [3] [4]. + + Disabling this feature enhances privacy by preventing remote modifications to your Application Guard settings. + It can potentially improve system performance by freeing up resources previously used for virtualization. + It can also enhance security by removing outdated software and reducing your attack surface. + However, disabling this feature may reduce security by blocking automatic security updates from your organization. + + > **Caution**: + > Disabling this feature may limit management systems' ability to adjust security settings automatically. + + ### Technical Details + + This script performs the following actions: + + - Deletes the **WindowsDefenderApplicationGuardCSP** COM object (CLSID `F80FC80C-6A04-46FB-8555-D769E334E9FC`) [5]. + - Removes the `windowsdefenderapplicationguardcsp.dll` file from the Windows System32 folder [5]. + + For more information on related configurations and the full range of settings affected, + see the official Microsoft documentation on the Defender Application Guard CSP [4]. + + [1]: https://web.archive.org/web/20240830165604/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview "Microsoft Defender Application Guard | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240830171005/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp#settingsallowwindowsdefenderapplicationguard "WindowsDefenderApplicationGuard CSP | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240830172815/https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10 "Settings you can manage with Intune Endpoint Protection profiles for Windows 10/11 devices | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240830171005/https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp "WindowsDefenderApplicationGuard CSP | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240830165507/https://strontic.github.io/xcyclopedia/library/clsid_F80FC80C-6A04-46FB-8555-D769E334E9FC.html "CLSID F80FC80C-6A04-46FB-8555-D769E334E9FC | WindowsDefenderApplicationGuardCSP | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{F80FC80C-6A04-46FB-8555-D769E334E9FC} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\WOW6432Node\CLSID\{F80FC80C-6A04-46FB-8555-D769E334E9FC} + elevateToTrustedInstaller: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteFiles + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\System32\windowsdefenderapplicationguardcsp.dll' + grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + name: Disable auditing events in Defender Application Guard + recommend: strict # Deprecated feature; Not a core system feature, improves privacy + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig + - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI + valueName: AuditApplicationGuard + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) - category: Disable automatic updates docs: |- @@ -19970,33 +23582,70 @@ actions: - name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) docs: |- - This script disables the Windows Update Medic Service. This service runs quietly in the background [1], - making sure that parts related to Windows updates are working as they should [1] [2]. - - This service can undo any adjustments you've made to your Windows Update settings without your consent. - For example, it can re-enable automatic Windows updates [3]. - That can interfere if you've tailored these settings for better privacy or security. - - By default, the service is enabled and its startup setting is set to manual [4] [5]. It executes - `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [5], known as "WaasMedic Service Dll" [6]. It stores remediation - configuration such as registry keys, tasks and services at `%WINDIR%\WaaS\` folder [7] [8] [9]. - Other related files include: - - | Path | Description | Windows 10 22H2 | Windows 11 23H2 | - | ---- |:-----------:|:---------------:|:---------------:| - | `%SYSTEMROOT%\System32\WaaSMedicAgent.exe` | WaasMedic Agent Exe | โœ… Exists | โŒ Missing | - | `%SYSTEMROOT%\System32\WaaSMedicCapsule.dll` | WaasMedic Capsule Exe | โœ… Exists | โŒ Missing | - | `%SYSTEMROOT%\System32\WaaSMedicPS.dll` | WaaS Medic Proxy Stub library | โœ… Exists | โœ… Exists | - | `%SYSTEMROOT%\System32\WaaSAssessment.dll` | WaaS Assessment | โœ… Exists | โœ… Exists | - | `%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll` | WaaS Assessment | โŒ Missing | โœ… Exists | - | `%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll` | WaaS Assessment | โŒ Missing | โœ… Exists | - - > **Caution:** While this script provides greater control over Windows Update operations and enhances user - > privacy by limiting unsolicited data transmission to Microsoft, it's important to be aware of the potential - > impacts on system stability and update integrity. Disabling the Windows Update Medic Service prevents the - > self-healing capability of Windows Updates, favoring the maintenance of user-defined update preferences. + This script disables the Windows Update Medic Service (`WaaSMedicSvc`) and removes its + associated files and registry entries. + This service runs continuously in the background and maintains Windows Update components [1] [2] [3]. - ### Overview of default service statuses + Disabling this service prevents it from reverting your Windows Update settings, such as re-enabling + automatic updates without your permission [4]. + This gives you more control over your system's update behavior and settings. + + This script enhances your privacy by reducing data transmission to Microsoft related to Windows + Update processes. + + Disabling the service improves system performance by eliminating a background process. + + However, this can affect system stability and update reliability over time. + It may lead to update failures or incomplete updates. + As a result, you may miss critical security updates, potentially exposing your system to security + vulnerabilities. + + > **Caution**: + > Disabling this service may stop Windows from automatically fixing update issues. + > This may lead to update failures or security vulnerabilities if updates are not managed manually. + + ### Technical Details + + By default, the service is enabled with a manual startup type [5] [6]. + It runs `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [6], also known as the "WaaSMedic Service DLL" [7]. + It stores remediation settings like registry keys, tasks, and services in the `%WINDIR%\WaaS\` folder [8] [9] [10]. + + This script disables the service, terminates and blocks its executable, and removes its files + and Component Object Model (COM) objects. + + **Services Disabled**: + + - `WaaSMedicSvc` [1] [3] [4] [5] [6] [9] + + **Processes Blocked**: + + - `WaaSMedicAgent.exe` [3] + + **Files Removed**: + + - `%SYSTEMROOT%\UUS\amd64\WaaSMedicSvcImpl.dll` [3] + - `%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [3] [6] [7] + - `%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll` [3] + - `%SYSTEMROOT%\System32\WaaSMedicPS.dll` [3] + - `%SYSTEMROOT%\System32\WaaSMedicAgent.exe` [3] + - `%SYSTEMROOT%\System32\WaaSMedicCapsule.dll` [3] + - `%SYSTEMROOT%\System32\WaaSAssessment.dll` [11] + - All files within the `%SYSTEMROOT%\WaaS\` directory [8] [9] [10] + + **COM Objects Removed**: + + - WaaSMedicDocked.CBSHelper (ActivatableClassId: `Windows.Internal.WaaSMedicDocked.CBSHelper`) [3] + - WaaSMedicSvc (AppID: `2ED83BAA-B2FD-43B1-99BF-E6149C622692`) + - WaaSMedic Proxy Stub (CLSID: `63480537-5d3d-4c42-8ac4-22a2bc016244`) [3] + - IWaaSRemediationEx (Interface: `B4C1D279-966E-44E9-A9C5-CCAF4A77023D`) [3] + - IWaaSProtectedSettingsProvider (Interface: `e4dc719b-fe77-414f-9dbe-3e4ffea7a7a5`) [3] + - IWaaSRemediationEx types (Typelib: `3ff1aab8-f3d8-11d4-825d-00104b3646c0`) [3] + - `HKLM\Software\Classes\Microsoft.WaaSMedic.1` [3] + - `HKLM\Software\Classes\Microsoft.WaaSMedic` [3] + - WaaSRemediation (CLSID: `72566e27-1abb-4eb3-b4f0-eb431cb1cb32`) + - WaaSProtectedSettingsProvider (CLSID: `9ea82395-e31b-41ca-8df7-ec1cee7194df`) + + #### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | @@ -20005,25 +23654,27 @@ actions: [1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322โ€”Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support" [2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" - [3]: https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates ยท Issue #252 ยท undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [4]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" - [5]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com" - [6]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io" - [7]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1821728182 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" - [8]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net" - [9]: https://web.archive.org/web/20231129203543/https://call4cloud.nl/2022/03/before-we-wipe/ "KB5011487 | KB5011493 | 2022-03 | Windows.old wipe Issue | call4cloud.nl" - call: - - - # Windows 10 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` - # Windows 11 (23H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` | โœ… `DisableServiceInRegistry` with `elevateToTrustedInstaller` + [3]: https://archive.ph/2024.09.14-152730/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" [4]: https://web.archive.org/web/20240828090735/https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates ยท Issue #252 ยท undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [5]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" + [6]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com" + [7]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io" + [8]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1821728182 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" + [9]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net" + [10]: https://web.archive.org/web/20231129203543/https://call4cloud.nl/2022/03/before-we-wipe/ "KB5011487 | KB5011493 | 2022-03 | Windows.old wipe Issue | call4cloud.nl" + [11]: https://web.archive.org/web/20240916090531/https://strontic.github.io/xcyclopedia/library/WaaSAssessment.dll-F695BFFC7B607DCEC7701DA68F35B448.html "WaaSAssessment.dll | WaaS Assessment | STRONTIC | strontic.github.io" + call: + - + # Standard service disabling methods proved ineffective in tests. + # Registry modification is required for successful disabling across all tested Windows versions: + # Windows 10 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 10 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 11 (21H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 11 (22H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` + # Windows 11 (23H2): โŒ `DisableService` | โœ… `DisableServiceInRegistry` function: DisableServiceInRegistry parameters: serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - elevateToTrustedInstaller: 'true' - function: SoftDeleteFiles parameters: @@ -20036,13 +23687,17 @@ actions: - function: SoftDeleteFiles parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) fileGlob: '%SYSTEMROOT%\System32\WaaSMedicAgent.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ” Missing on Windows 11 since 23H2 + maximumWindowsVersion: Windows10-MostRecent - function: SoftDeleteFiles parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โŒ Windows 11 Pro (โ‰ฅ 23H2) fileGlob: '%SYSTEMROOT%\System32\WaaSMedicCapsule.dll' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ” Missing on Windows 11 since 23H2 + maximumWindowsVersion: Windows10-MostRecent - function: SoftDeleteFiles parameters: @@ -20056,19 +23711,96 @@ actions: - function: SoftDeleteFiles parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) fileGlob: '%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll' grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + minimumWindowsVersion: Windows11-FirstRelease - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll' + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + fileGlob: '%SYSTEMROOT%\UUS\amd64\WaaSMedicSvcImpl.dll' grantPermissions: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + minimumWindowsVersion: Windows11-FirstRelease - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\WaaS\*' # Includes `services` and `tasks` folders that defines the desired state configuration on remediation. + fileGlob: '%SYSTEMROOT%\WaaS\*' # Includes `services` and `tasks` folders that defines the desired state configuration on remediation. grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 recurse: 'true' + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โŒ Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.WaaSMedicDocked.CBSHelper + elevateToTrustedInstaller: 'true' # ๐Ÿ” Missing on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + minimumWindowsVersion: Windows11-FirstRelease + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\AppID\{2ED83BAA-B2FD-43B1-99BF-E6149C622692} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{2ED83BAA-B2FD-43B1-99BF-E6149C622692} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{63480537-5d3d-4c42-8ac4-22a2bc016244} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Interface\{B4C1D279-966E-44E9-A9C5-CCAF4A77023D} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Interface\{e4dc719b-fe77-414f-9dbe-3e4ffea7a7a5} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\TypeLib\{3ff1aab8-f3d8-11d4-825d-00104b3646c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Wow6432Node\TypeLib\{3ff1aab8-f3d8-11d4-825d-00104b3646c0} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Microsoft.WaaSMedic + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\Microsoft.WaaSMedic.1 + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{72566e27-1abb-4eb3-b4f0-eb431cb1cb32} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 + - + function: SoftDeleteRegistryKey + parameters: + # Availability: โœ… Windows 10 Pro (โ‰ฅ 22H2) | โœ… Windows 11 Pro (โ‰ฅ 23H2) + keyPath: HKLM\Software\Classes\CLSID\{9ea82395-e31b-41ca-8df7-ec1cee7194df} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 - name: Disable automatically enabling Windows Update Medic Service recommend: strict @@ -20101,7 +23833,7 @@ actions: [2]: https://web.archive.org/web/20231127032440/https://strontic.github.io/xcyclopedia/library/upfc.exe-299EA296575CCB9D2C1A779062535D5C.html "upfc.exe | Updateability From SCM | STRONTIC | strontic.github.io" [3]: https://en.wikipedia.org/w/index.php?title=Service_Control_Manager&oldid=1063455957 "Service Control Manager - Wikipedia | en.wikipedia.org" [4]: https://web.archive.org/web/20231129135553/https://blogs.windows.com/windows-insider/2018/07/31/announcing-windows-server-2019-insider-preview-build-17723/ "Announcing Windows Server 2019 Insider Preview Build 17723 | Windows Insider Blog | blogs.windows.com" - [5]: https://github.com/undergroundwires/privacy.sexy/issues/272 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" + [5]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" [6]: https://web.archive.org/web/20231129135227/https://www.tenforums.com/windows-updates-activation/104945-stop-windows-10-updates-properly-completely-25.html "Stop Windows 10 Updates Properly and Completely Solved - Page 25 - Windows 10 Forums | www.tenforums.com" call: - @@ -20109,13 +23841,7 @@ actions: parameters: fileGlob: '%SYSTEMROOT%\System32\upfc.exe' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 23H2 - beforeIteration: |- # Skip Windows versions older than Windows 10 22H2 (build number 19045) to avoid reported blue screen issues. - $osVersion = [System.Environment]::OSVersion.Version - function Test-IsBeforeWin10Version22H2 { ($osVersion.Major -lt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -lt 19045)) } - if (Test-IsBeforeWin10Version22H2) { - Write-Warning 'Skipping the removal of upfc.exe on systems older Windows versions to prevent possible system crashes or errors.' - exit 0 - } + minimumWindowsVersion: Windows10-22H2 # Skip Windows versions older than Windows 10 22H2 to avoid reported blue screen issues. - function: TerminateAndBlockExecution parameters: @@ -20681,18 +24407,29 @@ actions: - name: Disable "PerformRemediation" task docs: |- - This script disables the "PerformRemediation" scheduled task. + This script disables the `PerformRemediation` scheduled task in Windows. - This task is responsible for performing remediation or recovery actions for update-related services, ensuring that these services - are running in a supported configuration, particularly after updates. + This task performs recovery actions for update-related services to ensure they run in a supported configuration. - According to the Task Scheduler, this task aids in recovering update-related services to a supported configuration. + Disabling this task enhances privacy by reducing automatic system changes and limiting data collection related to updates. + It enhances control over system settings, letting users manage update configuration tasks without being overridden by the system. + It improves performance by preventing unnecessary background processes. + Microsoft recommends disabling this task in certain environments to minimize data collection and improve performance [1]. - This task restarts Windows Update Medic Service (`WaaSMedicSvc`), even if it is disabled manually [1]. - - Microsoft suggests disabling this task to minimize data collection and optimize performance [2]. + However, disabling this task may interfere with Windows' ability to fix update-related issues automatically, possibly + causing future update problems. - ### Overview of default task statuses + > **Caution**: + > Disabling this task may prevent Windows from automatically resolving update-related problems, + > which may affect system stability and security over time. + + ### Technical Details + + The `PerformRemediation` task is part of the **Windows Update Medic Service** [2]. + It can restart the Windows Update Medic Service even if the service is manually disabled [3]. + The task is located at `\Microsoft\Windows\WaaSMedic\PerformRemediation` [2]. + + #### Overview of default task statuses `\Microsoft\Windows\WaaSMedic\PerformRemediation`: @@ -20702,8 +24439,9 @@ actions: | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | - [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" - [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" + [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" + [2]: https://archive.ph/2024.09.14-152730/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-waasmedic_31bf3856ad364e35_10.0.22621.1_none_94e9973331d890c7.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" call: function: DisableScheduledTask parameters: @@ -20961,7 +24699,7 @@ actions: > **Caution**: This script postpones critical security updates, increasing potential security risks for your computer. - [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" + [1]: https://web.archive.org/web/20240828090748/https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" call: - function: SetRegistryValue @@ -21665,6 +25403,7 @@ actions: parameters: packageName: Microsoft.SecHealthUI # Get-AppxPackage Microsoft.SecHealthUI publisherId: 8wekyb3d8bbwe + - category: UI for privacy children: @@ -29547,7 +33286,7 @@ actions: [6]: https://web.archive.org/web/20240218225733/https://github.com/undergroundwires/privacy.sexy/issues/166 "[BUG]: Network & Internet Problem after using the script ยท Issue #166 ยท undergroundwires/privacy.sexy | GitHub | github.com/undergroundwires/privacy.sexy" [7]: https://web.archive.org/web/20240812132702/https://github.com/undergroundwires/privacy.sexy/issues/225 "[Improvements] possible workaround for issue #110 ยท Issue #225 ยท undergroundwires/privacy.sexy ยท GitHub | github.com" [8]: https://web.archive.org/web/20240812131424/https://github.com/undergroundwires/privacy.sexy/issues/314 "[BUG]: Script that breaks calendar in taskbar ยท Issue #314 ยท undergroundwires/privacy.sexy ยท GitHub | github.com" - [9]: https://archive.ph/2024.08.12-133902/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038%23WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" + [9]: https://web.archive.org/web/20240905100141/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038#WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com" [10]: https://archive.ph/2024.08.12-133132/https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3%23WindowsVersion=Windows_10 "Windows 10 | Customize the taskbar notification area - Microsoft Support | support.microsoft.com" [11]: https://archive.ph/2024.08.12-133105/https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3%23WindowsVersion=Windows_11 "Windows 11 | Customize the taskbar notification area - Microsoft Support | support.microsoft.com" [12]: https://web.archive.org/web/20240812131129/https://github.com/undergroundwires/privacy.sexy/issues/227 "[BUG]: Disabling \"Windows Push Notification Service\" also breaks action center ยท Issue #227 ยท undergroundwires/privacy.sexy ยท GitHub | github.com" @@ -30373,7 +34112,7 @@ functions: # Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them. # It does not touch any of the folders. # This allows for easier restoration and less immediate disruption compared to permanent deletion. - # Try `grantPermissions` to elevate privileges first then `elevateToTrustedInstaller` as last effort.ยด + # Try `grantPermissions` to elevate privileges first then `elevateToTrustedInstaller` as last effort. parameters: - name: fileGlob - name: grantPermissions # Grants permission on the files found, and restores original permissions after modification. @@ -30382,7 +34121,11 @@ functions: optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + - name: elevateToTrustedInstaller # Only use if `grantPermissions` fails, see `RunPowerShellWithOptionalElevation` + optional: true + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true call: - @@ -30399,6 +34142,8 @@ functions: - function: IterateGlob parameters: + maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' pathGlob: '{{ $fileGlob }}' revertPathGlob: '{{ $fileGlob }}.OLD' @@ -30565,7 +34310,7 @@ functions: Write-Host "Successfully processed $renamedCount items and skipped $skippedCount items." } if ($failedCount -gt 0) { - Write-Warning "Failed to processed $($failedCount) items." + Write-Warning "Failed to process $($failedCount) items." } {{ with $grantPermissions }} [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null @@ -30742,23 +34487,25 @@ functions: optional: true - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` optional: true - - name: setupCode # PowerShell code to execute before elevation. + - name: setupCodeUnelevated # PowerShell code to execute before elevation. + optional: true + - name: setupCodeElevated # PowerShell code to execute after elevation. optional: true docs: |- - This function executes PowerShell code with optional TrustedInstaller privileges, whic - may be required for performing system-level tasks that require the highest permission levels. + This function executes PowerShell code with optional TrustedInstaller privileges, which + may be required for performing system-level tasks that require the highest permission levels. - It is designed to handle tasks that cannot be completed under normal user or administrator privileges, - such as modifying protected registry keys or system files. + It is designed to handle tasks that cannot be completed under normal user or administrator privileges, + such as modifying protected registry keys or system files. call: function: RunPowerShellWithWindowsVersionConstraints parameters: minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' # Issues and workarounds: - # privacy.sexy word triggering Defender (https://github.com/undergroundwires/privacy.sexy/issues/421) + # - privacy.sexy word triggering Defender (https://github.com/undergroundwires/privacy.sexy/issues/421) # Using `cAByAGkAdgBhAGMAeQAuAHMAZQB4AHkA` base64 encoding of `privacy.sexy` - # PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. + # - PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. # Seen e.g. on Windows 11 when reverting scripts after executing them and reboot. # They are seen to throw different exceptions: # - `Unregister-ScheduledTask : The system cannot find the file specified` @@ -30777,83 +34524,86 @@ functions: # - โŒ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - โœ… Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. + # - Inlining is not working when elevated, should use `{{ . | inlinePowerShell}}` when elevated (refactor-with-if-syntax). + # Inlinining PowerShell would help save space to not hit maximum batch command length limit (8191) setupCode: |- {{ with $elevateToTrustedInstaller }} - function Invoke-AsTrustedInstaller { - param ( ` - [Parameter(Mandatory=$true)] ` - [string]$Script ` - ) - $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') - $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) - $streamOutFile = New-TemporaryFile + function Invoke-AsTrustedInstaller($Script) { + $principalSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') + $principalName = $principalSid.Translate([System.Security.Principal.NTAccount]) + $streamFile = New-TemporaryFile $scriptFile = New-TemporaryFile try { $scriptFile = Rename-Item ` -LiteralPath $scriptFile ` - -NewName "$($scriptFile.BaseName).ps1" ` + -NewName ($scriptFile.BaseName + '.ps1') ` + -Force ` -PassThru $Script | Out-File $scriptFile -Encoding UTF8 - $taskName = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(('cAByAGkAdgBhAGMAeQAuAHMAZQB4AHkA'))) + ' invoke' - schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output - $scriptExecutionCommand = "powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamOutFile' -Encoding UTF8" - $taskAction = New-ScheduledTaskAction ` + $taskName = "privacy$([char]0x002E)sexy invoke" + schtasks.exe /delete /tn $taskName /f 2>&1 | Out-Null + $executionCommand = "powershell.exe -ExecutionPolicy Bypass -File '$scriptFile' *>&1 | Out-File -FilePath '$streamFile' -Encoding UTF8" + $action = New-ScheduledTaskAction ` -Execute 'powershell.exe' ` - -Argument "-ExecutionPolicy Bypass -Command `"$scriptExecutionCommand`"" - $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries + -Argument "-ExecutionPolicy Bypass -Command `"$executionCommand`"" + $settings = New-ScheduledTaskSettingsSet ` + -AllowStartIfOnBatteries ` + -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` - -Action $taskAction ` + -Action $action ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() - $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null - $timeOutLimit = (Get-Date).AddMinutes(5) - Write-Host "Running as `"$trustedInstallerName`"" - while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { + $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $principalName) | Out-Null + $timeout = (Get-Date).AddMinutes(5) + Write-Host "Running as $principalName" + while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 - if((Get-Date) -gt $timeOutLimit) { - Write-Warning "Skipping results, it took so long to execute script." + if ((Get-Date) -gt $timeout) { + Write-Warning 'Skipping: Timeout' break } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { - Write-Error "Failed to execute with exit code: $result." + Write-Error "Failed, due to exit code: $result." } } finally { - schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors + schtasks.exe /delete /tn $taskName /f | Out-Null } - Get-Content $streamOutFile + Get-Content $streamFile } finally { - Remove-Item $streamOutFile, $scriptFile + Remove-Item $streamFile, $scriptFile } } {{ end }}{{ with $setupCode }} - {{ . }} + {{ . {{ with $elevateToTrustedInstaller }} | inlinePowershell {{ end }} }} {{ end }} code: |- {{ with $elevateToTrustedInstaller }} - $command = @' + $cmd = @' {{ end }} + {{ with $setupCodeElevated }} {{ . }} {{ end }} {{ $code }} {{ with $elevateToTrustedInstaller }} '@ - Invoke-AsTrustedInstaller "$command" + Invoke-AsTrustedInstaller $cmd {{ end }} revertCode: |- {{ with $revertCode }} {{ with $elevateToTrustedInstaller }} - $command = @' + $cmd = @' {{ end }} + {{ with $setupCodeElevated }} {{ . }} {{ end }} {{ . }} {{ with $elevateToTrustedInstaller }} '@ - Invoke-AsTrustedInstaller "$command" + Invoke-AsTrustedInstaller $cmd {{ end }} {{ end }} - @@ -31023,9 +34773,13 @@ functions: # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 optional: true + - + name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true call: - function: RunPowerShell + function: RunPowerShellWithOptionalElevation parameters: + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' # Unsupported arguments -> # Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`, # `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms @@ -31507,10 +35261,16 @@ functions: optional: true - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` optional: true + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true call: function: RunPowerShellWithOptionalElevation parameters: elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' + maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' code: |- $pathGlobPattern = "{{ $pathGlob }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern) @@ -32673,10 +36433,11 @@ functions: - function: RunPowerShellWithOptionalElevation parameters: - setupCode: '{{ with $setupCode }}{{ . }}{{ end }}' + setupCodeUnelevated: '{{ with $setupCode }}{{ . }}{{ end }}' minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' code: |- + $registryPath = '{{ $keyPath }}' $data = '{{ $data }}' {{ with $evaluateDataAsPowerShell }} $data = $({{ $data }}) @@ -32993,7 +36754,7 @@ functions: | Where-Object { $_.Value -eq $executableFilename } if ($existingBlockingRuleForExecutable) { $existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name - Write-Output "Skipping, no action needed: `$executableFilename` is already blocked under rule index `"$existingBlockingRuleIndexForExecutable`"." + Write-Output "Skipping, no action needed: '$executableFilename' is already blocked under rule index `"$existingBlockingRuleIndexForExecutable`"." exit 0 } $occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties ` @@ -33476,7 +37237,7 @@ functions: 'Windows10-1909' { '10.0.18363' } 'Windows10-1607' { '10.0.14393' } default { - throw "Internal privacy.sexy error: No build for minimum Windows '$versionName'" + throw "Internal privacy$([char]0x002E)sexy error: No build for minimum Windows '$versionName'" } } $minVersion = [System.Version]::Parse($buildNumber) @@ -33495,7 +37256,7 @@ functions: 'Windows10-1909' { '10.0.18363' } 'Windows10-1903' { '10.0.18362' } default { - throw "Internal privacy.sexy error: No build for maximum Windows '$versionName'" + throw "Internal privacy$([char]0x002E)sexy error: No build for maximum Windows '$versionName'" } } $maxVersion=[System.Version]::Parse($buildNumber) @@ -33719,7 +37480,7 @@ functions: $path = "$($hive):$($rawPath.Substring($hive.Length))" Write-Host "Restoring value '$value' at '$path' with type '$rawType' and value '$data'." if (-Not $rawType) { - throw "Internal privacy.sexy error: Data type is not provided for data '$data'." + throw "Internal privacy$([char]0x002E)sexy error: Data type is not provided for data '$data'." } if (-Not (Test-Path -LiteralPath $path)) { try { @@ -33749,7 +37510,7 @@ functions: 'REG_QWORD' { 'QWord' } 'REG_EXPAND_SZ' { 'ExpandString' } default { - throw "Internal privacy.sexy error: Failed to find data type for: '$rawType'." + throw "Internal privacy$([char]0x002E)sexy error: Failed to find data type for: '$rawType'." } } Set-ItemProperty ` @@ -34002,7 +37763,7 @@ functions: valueName: 'HiddenByDefault' dataType: REG_DWORD data: '1' # It hides on Windows 11 Pro (โ‰ฅ 23H2) 11, this is the default behavior but this value is missing by default - deleteOnRevert: 'true' # Missing on Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + deleteOnRevert: 'true' # ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ” Missing on Windows 11 Pro (โ‰ฅ 23H2) minimumWindowsVersion: Windows11-FirstRelease # `HiddenByDefault` has no effect Windows 10 - function: SetRegistryValue @@ -34011,7 +37772,7 @@ functions: valueName: 'HideIfEnabled' dataType: REG_DWORD data: '0x22ab9b9' # Default value on Windows 11 Pro (โ‰ฅ 23H2) 11, it hides - dataOnRevert: '0x22ab9b9' # Default value: Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0x22ab9b9` on Windows 11 Pro (โ‰ฅ 23H2) + dataOnRevert: '0x22ab9b9' # Default value: ๐Ÿ” Missing on Windows 10 Pro (โ‰ฅ 22H2) | `0x22ab9b9` on Windows 11 Pro (โ‰ฅ 23H2) minimumWindowsVersion: Windows11-FirstRelease # `HideIfEnabled` has no effect Windows 10 - function: ShowExplorerRestartSuggestion @@ -34422,3 +38183,311 @@ functions: matchDataBeforeDelete: '{{ $progId }}' minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + - + name: DisablePushNotifications + parameters: + - name: appUserModelId # The Application User Model ID (AppUserModelID) of the target application. + docs: |- + This function disables push/toast notifications for a given application by modifying registry + keys associated with Windows notification settings. + + These application user model IDs (AppUserModelId) are extensively used by the Windows taskbar to + associate processes, files, and windows with particular applications [1]. + Notifications in Windows point to these IDs [2] [3]. + Existence of these IDs can be verified by checking `HKCR\AppUserModelId\{{ appUserModelId }}` + registry key. + + The function performs the following registry operations: + + - Configures `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\{{ appUserModelId }}!Enabled`. + - This mirrors the behavior when a user disables notifications via the Windows UI [4]. + - These values do not exist by default on newer Windows versions (Windows 10 Pro โ‰ฅ 22H2, Windows 11 Pro โ‰ฅ 23H2). + - Soft-deletes the key `HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\{{ appUserModelId }}`. + - This key is typically owned by TrustedInstaller and may contain application-specific notification configurations [2]. + - Soft-deletes the key `HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\{{ appUserModelId }}`. + - This key is typically registered by default for each notifying application [3]. + + [1]: https://web.archive.org/web/20240902090450/https://learn.microsoft.com/en-us/windows/win32/shell/appids "Application User Model IDs (AppUserModelIDs) - Win32 apps | Microsoft Learn | learn.microsoft.com" + [2]: https://archive.ph/2024.08.31-162733/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-windows-securitycenter-core_31bf3856ad364e35_10.0.22621.1_none_7bd62966a5d70680.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba ยท privacysexy-forks/nickel-x64 | github.com" + [3]: https://web.archive.org/web/20240902090432/https://stackoverflow.com/questions/67005337/how-works-notifications-on-windows-registry-no-shortlink/67005338#67005338 "How works notifications on windows (registry, no shortlink) - Stack Overflow | stackoverflow.com" + [4]: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ "Disabling Windows 10 Notifications via Group Policy | Platforms, Lync, the Cloud, Oh My! | blogs.technet.microsoft.com" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\{{ $appUserModelId }} + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (โ‰ฅ 22H2) and Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\{{ $appUserModelId }} + elevateToTrustedInstaller: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 Pro (โ‰ฅ 22H2) | ๐Ÿ”’๏ธ Protected on Windows 11 Pro (โ‰ฅ 23H2) + - + function: SoftDeleteRegistryKey + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\{{ $appUserModelId }} + - + name: SoftDeleteRegistryKey + parameters: + - name: keyPath # Full path of the subkey or entry to be deleted. No glob/wildcard interpretation. + - name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation` + optional: true + - name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + - name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints` + optional: true + docs: |- + This function recursively renames a specified registry key, all its subkeys, and all their + values by adding ".OLD" suffix. + + It provides an alternative to deleting registry keys when: + + - Preserving permissions on revert are important as renaming would preserve the original OS permissions. + - Default OS settings are deep or contains multiple values, this way the original revert data is preserved. + + ### Order of processing + + For a sample registry structure: + + ``` + Root key + โ”œโ”€โ”€ Value 1 + โ”œโ”€โ”€ Value 2 + โ”œโ”€โ”€ Value 3 + โ”œโ”€โ”€ Subkey 1 + โ”‚ โ”œโ”€โ”€ Value 1 + โ”‚ โ””โ”€โ”€ Value 2 + โ””โ”€โ”€ Subkey 2 + โ”œโ”€โ”€ Value 1 + โ””โ”€โ”€ Value 2 + ``` + + The order of soft deletion would be: + + 1. Rename root key values (Value 1, Value 2, Value 3) + 2. Rename Subkey 1 values (Value 1, Value 2) + 3. Rename Subkey 1 itself + 4. Rename Subkey 2's values (Value 1, Value 2) + 5. Rename Subkey 2 itself + 6. Rename the root key + + The revert process supports recovering from partially failed soft deletion: + + 1. Restore root key + 2. Restore root key values (Value 1, Value 2, Value 3) + 3. Restore Subkey 1 itself + 4. Restore Subkey 1 values (Value 1, Value 2) + 5. Restore Subkey 2 itself + 6. Restore Subkey 2's values (Value 1, Value 2) + call: + - + function: Comment + parameters: + codeComment: >- + Soft-delete the registry key: {{ $keyPath }} + {{ with $elevateToTrustedInstaller }}as TrustedInstaller{{ end }} + revertCodeComment: >- + Restore registry key: {{ $keyPath }} + {{ with $elevateToTrustedInstaller }}as TrustedInstaller{{ end }} + - + function: RunPowerShellWithOptionalElevation + parameters: + elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}' + maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}' + minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' + # Issues and workarounds: + # - Copy values before deleting to ensure partial deletions if keys are protected + # - Explicitly copy ACLs as `reg copy` and `Rename-Item`, `Copy-Item` don't preserve them + # Use bottom-up traversal to avoid permission errors due to lack of parrent access. + # - Handle copy and delete separately to avoid leftover copies on failure. + # `Rename-Item` keeps a copy when it fails. + # - Modify ACL object before `Set-Acl` to ensure populated data. + # Workaround for https://stackoverflow.com/a/4784764. + # Above workaround does not set inheritence correctly, so using SDDL, reproduce: + # 1. Soft-delete `HKLM\Software\Classes\CLSID\{6CED0DAA-4CDE-49C9-BA3A-AE163DC3D7AF}` + # 2. Open `regedit`, navigate to key, view Permissions > Advanced Security + # - Use -Path instead of -LiteralPath for `Get-Acl` and `Set-Acl` with registry keys + setupCodeElevated: |- + function Copy-Acl($Src, $Dst) { + $srcKeys = @(Get-ChildItem -LiteralPath $Src -ErrorAction SilentlyContinue) + foreach ($key in $srcKeys) { + $dstKey = Join-Path $Dst $key.PSChildName + Copy-Acl -Src $key.PSPath -Dst $dstKey + } + $acl = Get-Acl -Path $Src -ErrorAction Stop + $sections = [System.Security.AccessControl.AccessControlSections]::All -band (-bnot [System.Security.AccessControl.AccessControlSections]::Owner) + $sddl = $acl.GetSecurityDescriptorSddlForm($sections) + $acl.SetSecurityDescriptorSddlForm($sddl, $sections) + Set-Acl -Path $Dst -AclObject $acl -ErrorAction Stop + } + function Rename-KeyWithAcl($Old, $New) { + try { + Copy-Item -LiteralPath $Old -Destination $New -Recurse -Force -ErrorAction Stop + } catch { + throw "Failed to copy: $_" + } + try { + Copy-Acl -Src $Old -Dst $New + } catch { + Write-Warning "Failed to copy ACL: $_" + } + try { + Remove-Item -LiteralPath $Old -Force -Recurse -ErrorAction Stop | Out-Null + } catch { + try { + Remove-Item -LiteralPath $New -Force -Recurse -ErrorAction Stop | Out-Null + } catch { + Write-Warning "Failed to clean up: $_" + } + throw "Failed to remove: $_" + } + } + code: |- + $rawPath='{{ $keyPath }}' + $suffix='.OLD' + $global:ok = 0 + $global:skip = 0 + $global:fail = 0 + function Rename-KeyTree($Path) { + Write-Host "Processing key: $Path" + if (-Not (Test-Path -LiteralPath $Path)) { + Write-Host 'Skipping: Key does not exist.' + $global:skip++ + return + } + $values = (Get-Item -LiteralPath $Path -ErrorAction Stop | Select-Object -ExpandProperty Property) + foreach ($value in $values) { + Write-Host "Renaming '$value'" + if ($value.EndsWith($suffix)) { + Write-Host 'Skipping: Has suffix.' + $global:skip++ + continue + } + $backupName = $value + $suffix + Write-Host "Renaming to '$backupName'." + try { + Rename-ItemProperty -LiteralPath $Path -Name $value -NewName $backupName -ErrorAction Stop + Write-Host 'Successfully renamed.' + $global:ok++ + } catch { + Write-Warning "Failed to rename value: $_" + $global:fail++ + } + } + $subkeys = @(Get-ChildItem -LiteralPath $Path -ErrorAction SilentlyContinue) + foreach ($key in $subkeys) { + Rename-KeyTree $key.PSPath + } + Write-Host "Renaming key '$Path'." + if ($Path.EndsWith($suffix)) { + Write-Host 'Skipping: Has suffix.' + $global:skip++ + } else { + $backupPath = $Path + $suffix + while (Test-Path -LiteralPath $backupPath) { + $backupPath += $suffix + } + Write-Host "Renaming to '$backupPath'." + try { + Rename-KeyWithAcl -Old $Path -New $backupPath -ErrorAction Stop + Write-Host 'Successfully renamed.' + $global:ok++ + } catch { + Write-Warning "Failed to rename: $_" + $global:fail++ + } + } + } + Write-Host "Soft deleting registry key '$rawPath' recursively." + $hive = $rawPath.Split('\')[0] + $path = $hive + ':' + $rawPath.Substring($hive.Length) + Rename-KeyTree $path + $totalItems = $global:ok + $global:skip + $global:fail + Write-Host "Total items: $totalItems, Renamed: $global:ok, Skipped: $global:skip, Failed: $global:fail" + if (($totalItems -eq 0) -or ($totalItems -eq $global:skip)) { + Write-Host 'No items were processed. The operation had no effect.' + } elseif ($global:fail -eq $totalItems) { + throw "Operation failed. All $global:fail items could not be processed." + } elseif ($global:ok) { + Write-Host "Successfully processed $global:ok item(s)." + } + revertCode: |- + $rawPath='{{ $keyPath }}' + $suffix ='.OLD' + $global:fail = 0 + $global:ok = 0 + function Get-Real($s) { + while ($s.EndsWith($suffix)) { + $s = $s.Substring(0, $s.Length - $suffix.Length) + } + return $s + } + function Restore-KeyTree($Path) { + $dest = Get-Real $Path + $src = $Path + Write-Host "Restoring key: '$dest' from '$src'" + if (-Not $src.EndsWith($suffix)) { + $src += $suffix + if (-Not (Test-Path -LiteralPath $src)) { + Write-Host 'Skipping: No data.' + Restore-Children $dest + return + } + } + if (Test-Path -LiteralPath $dest) { + Write-Host 'Skipping to avoid data loss. Key already exists.' + Write-Warning "Manual intervention may be required to fully restore from '$src'." + } else { + try { + Rename-KeyWithAcl -Old $src -New $dest -ErrorAction Stop + Write-Host 'Successfully restored.' + $global:ok++ + } catch { + Write-Warning "Failed: $_" + $global:fail++ + } + } + Restore-Children $dest + } + function Restore-Children($Path) { + Write-Host "Restoring values in '$Path'" + if (-Not (Test-Path -LiteralPath $Path)) { + Write-Host 'Skipping: Key does not exist. No action needed.' + return + } + $values = ( ` + Get-Item -LiteralPath $Path -ErrorAction Stop | Select-Object -ExpandProperty Property ` + ) + foreach ($value in $values) { + Write-Host "Restoring value '$value'" + if (-Not $value.EndsWith($suffix)) { + Write-Host 'Skipping: No action needed.' + continue + } + $real = Get-Real $value + Write-Host "Renaming to '$real'." + try { + Rename-ItemProperty -LiteralPath $Path -Name $value -NewName $real -ErrorAction Stop + Write-Host 'Successfully restored.' + $global:ok++ + } catch { + Write-Warning "Failed: $_" + $global:fail++ + } + } + $keys = @(Get-ChildItem -LiteralPath $Path -ErrorAction SilentlyContinue) + foreach ($key in $keys) { + Restore-KeyTree $key.PSPath + } + } + Write-Host "Restoring registry key '$rawPath' recursively." + $hive = $rawPath.Split('\')[0] + $path = $hive + ':' + $rawPath.Substring($hive.Length) + Restore-KeyTree $path + if ($global:fail) { + Write-Error 'Failed to restore' + Exit 1 + }