diff --git a/lib/reg-helper.psm1 b/lib/reg-helper.psm1 new file mode 100644 index 0000000..2a91ff0 --- /dev/null +++ b/lib/reg-helper.psm1 @@ -0,0 +1,28 @@ +function Import-Registry($reg) { + # add reg file hander + $reg = "Windows Registry Editor Version 5.00`r`n`r`n" + $reg + + # store, import and remove reg file + $regfile = "$env:windir\Temp\registry.reg" + $reg | Out-File $regfile + Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait + rm $regfile +} + +function Takeown-Registry($key) { + # TODO works only for LocalMachine for now + $key = $key.substring(19) + + # set owner + $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Defender\Spynet", "ReadWriteSubTree", "TakeOwnership") + $owner = [Security.Principal.NTAccount]"Administrators" + $acl = $key.GetAccessControl() + $acl.SetOwner($owner) + $key.SetAccessControl($acl) + + # set FullControl + $acl = $key.GetAccessControl() + $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators", "FullControl", "Allow") + $acl.SetAccessRule($rule) + $key.SetAccessControl($acl) +} \ No newline at end of file diff --git a/scripts/disable-defender.ps1 b/scripts/disable-defender.ps1 index 07b9e9d..82394f4 100644 --- a/scripts/disable-defender.ps1 +++ b/scripts/disable-defender.ps1 @@ -1,10 +1,10 @@ # Description: # This script will disable Windows Defender via Group Policies. -echo "Disabling Windows Defender" -$reg = @" -Windows Registry Editor Version 5.00 +Import-Module $PSScriptRoot\..\lib\reg-helper.psm1 +echo "Disabling Windows Defender" +Import-Registry(@" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender] "DisableAntiSpyware"=dword:00000001 "DisableRoutinelyTakingAction"=dword:00000001 @@ -13,8 +13,4 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection] "DisableRealtimeMonitoring"=dword:00000001 -"@ -$regfile = "$env:windir\Temp\registry.reg" -$reg | Out-File $regfile -Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait -rm $regfile +"@) diff --git a/scripts/disable-telemetry.ps1 b/scripts/disable-telemetry.ps1 index 2ba6eba..59742f1 100644 --- a/scripts/disable-telemetry.ps1 +++ b/scripts/disable-telemetry.ps1 @@ -2,6 +2,8 @@ # This script redirects telemetry related domains to your nowhere using the # hosts file. Additionally telemetry is disallows via Group Policies. +Import-Module $PSScriptRoot\..\lib\reg-helper.psm1 + echo "Adding telemetry routes to hosts file" $hosts = @" 0.0.0.0 134.170.30.202 @@ -56,17 +58,11 @@ $hosts = @" 0.0.0.0 watson.telemetry.microsoft.com 0.0.0.0 watson.telemetry.microsoft.com.nsatc.net 0.0.0.0 wes.df.telemetry.microsoft.com -"@ +"@) echo $hosts >> "$env:systemroot\System32\drivers\etc\hosts" echo "Disabling telemetry via Group Policies" -$reg = @" -Windows Registry Editor Version 5.00 - +Import-Registry(@" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection] "AllowTelemetry"=dword:00000000 -"@ -$regfile = "$env:windir\Temp\registry.reg" -$reg | Out-File $regfile -Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait -rm $regfile +"@) diff --git a/scripts/fix-privacy-settings.ps1 b/scripts/fix-privacy-settings.ps1 index b26a490..1832bc0 100644 --- a/scripts/fix-privacy-settings.ps1 +++ b/scripts/fix-privacy-settings.ps1 @@ -2,35 +2,7 @@ # This script will try to fix many of the privacy settings for the user. This # is work in progress! - -function Import-Registry($reg) { - # add reg file hander - $reg = "Windows Registry Editor Version 5.00`r`n`r`n" + $reg - - # store, import and remove reg file - $regfile = "$env:windir\Temp\registry.reg" - $reg | Out-File $regfile - Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait - rm $regfile -} - -function Takeown-Registry($key) { - # TODO works only for LocalMachine for now - $key = $key.substring(19) - - # set owner - $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Windows Defender\Spynet", "ReadWriteSubTree", "TakeOwnership") - $owner = [Security.Principal.NTAccount]"Administrators" - $acl = $key.GetAccessControl() - $acl.SetOwner($owner) - $key.SetAccessControl($acl) - - # set FullControl - $acl = $key.GetAccessControl() - $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators", "FullControl", "Allow") - $acl.SetAccessRule($rule) - $key.SetAccessControl($acl) -} +Import-Module $PSScriptRoot\..\lib\reg-helper.psm1 function Enable-Privilege { param($Privilege) diff --git a/scripts/optimize-windows-update.ps1 b/scripts/optimize-windows-update.ps1 index 17156a3..6850cf6 100644 --- a/scripts/optimize-windows-update.ps1 +++ b/scripts/optimize-windows-update.ps1 @@ -2,29 +2,19 @@ # This script optimizes Windows updates by disabling automatic download and # seeding updates to other computers. -echo "Disable automatic download and installation of Windows updates" -$reg = @" -Windows Registry Editor Version 5.00 +Import-Module $PSScriptRoot\..\lib\reg-helper.psm1 +echo "Disable automatic download and installation of Windows updates" +Import-Registry(@" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU] "NoAutoUpdate"=dword:00000000 "AUOptions"=dword:00000002 "ScheduledInstallDay"=dword:00000000 "ScheduledInstallTime"=dword:00000003 -"@ -$regfile = "$env:windir\Temp\registry.reg" -$reg | Out-File $regfile -Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait -rm $regfile +"@) echo "Disable seeding of updates to other computers" -$reg = @" -Windows Registry Editor Version 5.00 - +Import-Registry(@" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization] "SystemSettingsDownloadMode"=dword:00000003 -"@ -$regfile = "$env:windir\Temp\registry.reg" -$reg | Out-File $regfile -Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait -rm $regfile +"@) diff --git a/scripts/remove-onedrive.ps1 b/scripts/remove-onedrive.ps1 index c74673c..7fb6237 100644 --- a/scripts/remove-onedrive.ps1 +++ b/scripts/remove-onedrive.ps1 @@ -1,6 +1,8 @@ # Description: # This script will remove and disable OneDrive integration. +Import-Module $PSScriptRoot\..\lib\reg-helper.psm1 + echo "Kill OneDrive process" taskkill.exe /F /IM "OneDrive.exe" taskkill.exe /F /IM "explorer.exe" @@ -20,16 +22,10 @@ rm -r -Force "$env:userprofile\OneDrive" rm -r -Force "C:\OneDriveTemp" echo "Disable OneDrive via Group Policies" -$reg = @" -Windows Registry Editor Version 5.00 - +Import-Registry(@" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\OneDrive] "DisableFileSyncNGSC"=dword:00000001 -"@ -$regfile = "$env:windir\Temp\registry.reg" -$reg | Out-File $regfile -Start-Process "regedit.exe" -ArgumentList ("/s", "$regfile") -Wait -rm $regfile +"@) echo "Removing startmenu entry" rm "$env:userprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"