Security
parent
15ed7bd4c6
commit
e614bf2cec
@ -0,0 +1,5 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
|
||||
"FullPath"=dword:00000001
|
||||
"FullPathAddress"=dword:00000001
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
|
||||
"ClearPageFileAtShutdown"=dword:1
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
|
||||
"TrustPolicy"=dword:1
|
@ -0,0 +1,6 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
; This decrease the security since it disabled the Protocol Behavior, but in some cases
|
||||
; it can help.
|
||||
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
|
||||
"PreXPSP2ShellProtocolBehavior"=dword:1
|
@ -0,0 +1,7 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
|
||||
"CompatibleRUPSecurity"=dword:0
|
||||
|
||||
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
|
||||
"CompatibleRUPSecurity"=dword:0
|
Binary file not shown.
@ -0,0 +1,7 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices]
|
||||
"Deny_All"=dword:1
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices]
|
||||
"Deny_All"=dword:1
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
|
||||
"SaveZoneInformation"=dword:1
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Efs]
|
||||
"EfsConfiguration"=dword:1
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI]
|
||||
"EnableSecureCredentialPrompting"=dword:1
|
@ -0,0 +1,5 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
; Force keep positive entries in DNS Cache for only 4 hours instead of the default 24 hours
|
||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
||||
"MaxCacheTtl "=dword:00003840
|
@ -0,0 +1,5 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
;If an Administrator attempts a protected action - Silently Succeed
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
|
||||
"ConsentPromptBehaviorAdmin"=dword:00000000
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
|
||||
"Friendly http errors"="yes"
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions]
|
||||
"NoJITSetup"=dword:1
|
@ -0,0 +1,7 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer]
|
||||
"DisableImportExportFavorites"=dword:1
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]
|
||||
"DisableImportExportFavorites"=dword:1
|
Binary file not shown.
@ -0,0 +1,7 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
|
||||
"HelpQualifiedRootDir"=hex(2):00,00
|
||||
|
||||
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
|
||||
"HelpQualifiedRootDir"=hex(2):00,00
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
|
||||
"nolmhash"=dword:1
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer]
|
||||
"DisableMedia"=dword:1
|
@ -0,0 +1,7 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
|
||||
"[RSW:VALUELIST]"=""
|
||||
|
||||
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
|
||||
"[RSW:VALUELIST]"=""
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
|
||||
"RestrictAnonymous"=dword:1
|
@ -0,0 +1,4 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Security Center]
|
||||
"SecurityCenterInDomain"=dword:1
|
@ -0,0 +1,6 @@
|
||||
Windows Registry Editor Version 5.00
|
||||
|
||||
; Warn on missing AV and if Firewall gets deactivated
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
|
||||
"FirewallOverride"=dword:1
|
||||
"AntiVirusOverride"=dword:1
|
@ -0,0 +1,83 @@
|
||||
REM keeping win7 clean !!!! (change this file CleanWin7.txt extension to cmd and run)
|
||||
|
||||
:: reg hacks -------------------------------------------
|
||||
REM disable downloaded w10 files
|
||||
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx /f /v DisableGwx /t REG_DWORD /d 1
|
||||
REM disable upgrade requests
|
||||
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f /v DisableOSUpgrade /t REG_DWORD /d 1
|
||||
|
||||
:: services ---------------------------------------------
|
||||
sc config DiagTrack start= disabled
|
||||
net stop DiagTrack
|
||||
|
||||
:: scheduled tasks reporting to Redmond -----------
|
||||
schtasks /Change /TN "\Microsoft\Windows\Application Experience\AitAgent" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE
|
||||
REM schtasks /Change /TN "\Microsoft\Windows\Autochk\Media Center\*all*" /DISABLE
|
||||
REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\launchtrayprocess" /DISABLE
|
||||
REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfig" /DISABLE
|
||||
REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" /DISABLE
|
||||
REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxcontent" /DISABLE
|
||||
schtasks /Change /TN "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE
|
||||
|
||||
:: evil updates -----------------------------------------
|
||||
|
||||
REM kb971033 License validation check
|
||||
start "title" /b /wait wusa.exe /kb:971033 /uninstall /quiet /norestart
|
||||
|
||||
REM kb2876229 Skype
|
||||
start "title" /b /wait wusa.exe /kb:2876229 /uninstall /quiet /norestart
|
||||
|
||||
REM kb2952664 Compatibility update for upgrading Windows 7
|
||||
start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart
|
||||
|
||||
REM kb2976978 Compatibility update for Windows 8.1 and Windows 8
|
||||
start "title" /b /wait wusa.exe /kb:2976978 /uninstall /quiet /norestart
|
||||
|
||||
REM kb2977759 - W10 Diagnostics Compatibility telemetry
|
||||
start "title" /b /wait wusa.exe /kb:2977759 /uninstall /quiet /norestart
|
||||
|
||||
REM kb2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows
|
||||
start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3012973 Upgrade to Windows 10 Pro
|
||||
start "title" /b /wait wusa.exe /kb:3012973 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3021917 Update to Windows 7 SP1 for performance improvements
|
||||
start "title" /b /wait wusa.exe /kb:3021917 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3022345 Update for customer experience and diagnostic telemetry (replace with KB3068708)
|
||||
start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3035583 Update installs get windows 10 app in Windows 8.1 and Windows 7 SP1
|
||||
start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3044374 - W8,8.1 Nagware for W10
|
||||
start "title" /b /wait wusa.exe /kb:3044374 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3050265 - Windows Update service updated to accept upgrade to W10
|
||||
start "title" /b /wait wusa.exe /kb:3050265 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3065987 - update for Windows Update (v7 v2008)
|
||||
start "title" /b /wait wusa.exe /kb:3065987 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3068707 - Customer experience telemetry points
|
||||
start "title" /b /wait wusa.exe /kb:3068707 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3068708 (replaces KB3022345) Update for customer experience and diagnostic telemetry
|
||||
start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7
|
||||
start "title" /b /wait wusa.exe /kb:3075249 /uninstall /quiet /norestart
|
||||
|
||||
REM kb3080149 Update for customer experience and diagnostic telemetry
|
||||
start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart
|
||||
|
||||
REM Remember to *hide* all these in Windows Update
|
@ -0,0 +1,29 @@
|
||||
@echo off
|
||||
|
||||
if %1. == . goto usage
|
||||
|
||||
set UNINSTALLX=uninstall-%1-updates.cmd
|
||||
set HIDEX=hide-%1-updates.ps
|
||||
set BADUPDATES=
|
||||
|
||||
echo %1
|
||||
if %1 == win7 set BADUPDATES=971033 2952664 2977759 2990214 3021917 3022345 3035583 3050265 3065987 3068708 3075249 3080149
|
||||
if %1 == win81 set BADUPDATES=2976978 3022345 3035583 3044374 3050267 3068708 3075249 3075853 3080149
|
||||
if %1 == w2008r2 set BADUPDATES=3022345 3050265 3065987 3068708 3080149
|
||||
if %1 == w2012r2 set BADUPDATES=3022345 3068708 3075853 3080140
|
||||
if not defined BADUPDATES goto usage
|
||||
|
||||
echo %BADUPDATES%
|
||||
if exist %UNINSTALLX% del %UNINSTALLX%
|
||||
if exist %HIDEX% del %HIDEX%
|
||||
for %%n in (%BADUPDATES%) do (
|
||||
echo start /w wusa.exe /uninstall /kb:%%n /norestart >> %UNINSTALLX%
|
||||
echo Hide-WUUpdate -Confirm:$false -HideStatus:$true -KBArticleID KB%%n >> %HIDEX%
|
||||
)
|
||||
goto end
|
||||
|
||||
:usage
|
||||
echo Okay, you didn't give the right parameter... it needs to be win7, win81, w2008r2 or w2012r2
|
||||
|
||||
:end
|
||||
echo.
|
@ -0,0 +1,30 @@
|
||||
Dim hideupdates(9)
|
||||
|
||||
hideupdates(0) = "KB2952664"
|
||||
hideupdates(1) = "KB2990214"
|
||||
hideupdates(2) = "KB3021917"
|
||||
hideupdates(3) = "KB3035583"
|
||||
hideupdates(4) = "KB3068708"
|
||||
hideupdates(5) = "KB2977759"
|
||||
hideupdates(6) = "KB3075249"
|
||||
hideupdates(7) = "KB3080149"
|
||||
hideupdates(8) = "KB3050265"
|
||||
hideupdates(9) = "KB3022345"
|
||||
|
||||
|
||||
set updateSession = createObject("Microsoft.Update.Session")
|
||||
set updateSearcher = updateSession.CreateupdateSearcher()
|
||||
|
||||
Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'")
|
||||
|
||||
For i = 0 To searchResult.Updates.Count-1
|
||||
set update = searchResult.Updates.Item(i)
|
||||
For j = LBound(hideupdates) To UBound(hideupdates)
|
||||
'MsgBox hideupdates(j)
|
||||
if instr(1, update.Title, hideupdates(j), vbTextCompare) = 0 then
|
||||
'Wscript.echo "No match found for " & hideupdates(j)
|
||||
else
|
||||
Wscript.echo "Hiding " & hideupdates(j)
|
||||
update.IsHidden = True
|
||||
end if
|
||||
Next
|
@ -0,0 +1,75 @@
|
||||
ECHO OFF
|
||||
REM --- remember to invoke from ELEVATED command prompt!
|
||||
REM --- or start the batch with context menu "run as admin".
|
||||
SETLOCAL
|
||||
|
||||
REM --- (as of 2015-08-26):
|
||||
REM KB3012973 - Upgrade to Windows 10 Pro
|
||||
REM KB3021917 - Update to Windows 7 SP1 for performance improvements
|
||||
REM KB3035583 - GWX Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1
|
||||
REM KB2952664 - Compatibility update for upgrading Windows 7
|
||||
REM KB2976978 - Compatibility update for Windows 8.1 and Windows 8
|
||||
REM KB3022345 - Telemetry [Replaced by KB3068708]
|
||||
REM KB3068708 - Update for customer experience and diagnostic telemetry
|
||||
REM KB2990214 - Update that enables you to upgrade from Windows 7 to a later version of Windows
|
||||
REM KB3075249 - Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7
|
||||
REM KB3080149 - Update for customer experience and diagnostic telemetry
|
||||
REM KB3044374 - W8,8.1 Nagware for W10
|
||||
REM KB2977759 - W10 Diagnostics Compatibility Telemetry
|
||||
REM KB3050265 - Windwos Update services update to upgrade to W10
|
||||
REM KB3068707 - Customer experience telemetry point. W7,8,8.1
|
||||
|
||||
|
||||
REM --- uninstall updates
|
||||
echo uninstalling updates ...
|
||||
start "title" /b /wait wusa.exe /kb:3012973 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3021917 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:2976978 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3075249 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3044374 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:2977759 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3050265 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
start "title" /b /wait wusa.exe /kb:3068707 /uninstall /quiet /norestart
|
||||
echo - done.
|
||||
|
||||
timeout 10
|
||||
|
||||
echo ... COMPLETED (please remember to REBOOT, and Hide the Following KB Updates)
|
||||
echo ...3012973
|
||||
echo ...3021917
|
||||
echo ...3035583
|
||||
echo ...2952664
|
||||
echo ...2976978
|
||||
echo ...3022345
|
||||
echo ...3068708
|
||||
echo ...2990214
|
||||
echo ...3075249
|
||||
echo ...3080149
|
||||
echo ...3044374
|
||||
echo ...2977759
|
||||
echo ...3050265
|
||||
echo ...3068707
|
||||
echo - done.
|
||||
|
||||
|
||||
pause
|
||||
REM --- EOF
|
Loading…
Reference in New Issue