diff --git a/Security/CabinetState.reg b/Security/CabinetState.reg new file mode 100644 index 0000000..fe14463 --- /dev/null +++ b/Security/CabinetState.reg @@ -0,0 +1,5 @@ +Windows Registry Editor Version 5.00 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState] +"FullPath"=dword:00000001 +"FullPathAddress"=dword:00000001 diff --git a/Security/Clear the Page File at shutdown.reg b/Security/Clear the Page File at shutdown.reg new file mode 100644 index 0000000..59b57ba --- /dev/null +++ b/Security/Clear the Page File at shutdown.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] +"ClearPageFileAtShutdown"=dword:1 diff --git a/Security/Configure Windows script host shell.reg b/Security/Configure Windows script host shell.reg new file mode 100644 index 0000000..fb5f66c --- /dev/null +++ b/Security/Configure Windows script host shell.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] +"TrustPolicy"=dword:1 diff --git a/Security/Deactivate the secured shell modus.reg b/Security/Deactivate the secured shell modus.reg new file mode 100644 index 0000000..dace540 --- /dev/null +++ b/Security/Deactivate the secured shell modus.reg @@ -0,0 +1,6 @@ +Windows Registry Editor Version 5.00 + +; This decrease the security since it disabled the Protocol Behavior, but in some cases +; it can help. +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] +"PreXPSP2ShellProtocolBehavior"=dword:1 diff --git a/Security/Disable Roaming security check.reg b/Security/Disable Roaming security check.reg new file mode 100644 index 0000000..0de6f78 --- /dev/null +++ b/Security/Disable Roaming security check.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] +"CompatibleRUPSecurity"=dword:0 + +[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System] +"CompatibleRUPSecurity"=dword:0 diff --git a/Security/Disable WPAD.reg b/Security/Disable WPAD.reg new file mode 100644 index 0000000..46ce019 Binary files /dev/null and b/Security/Disable WPAD.reg differ diff --git a/Security/Do not allow removable storage devices.reg b/Security/Do not allow removable storage devices.reg new file mode 100644 index 0000000..485b4b0 --- /dev/null +++ b/Security/Do not allow removable storage devices.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\RemovableStorageDevices] +"Deny_All"=dword:1 + +[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices] +"Deny_All"=dword:1 diff --git a/Security/Do not safe zone information in attachments.reg b/Security/Do not safe zone information in attachments.reg new file mode 100644 index 0000000..19c2df2 --- /dev/null +++ b/Security/Do not safe zone information in attachments.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments] +"SaveZoneInformation"=dword:1 diff --git a/Security/EFS/Disable EFS encryption.reg b/Security/EFS/Disable EFS encryption.reg new file mode 100644 index 0000000..9671f03 --- /dev/null +++ b/Security/EFS/Disable EFS encryption.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Efs] +"EfsConfiguration"=dword:1 diff --git a/Security/Enable secured login.reg b/Security/Enable secured login.reg new file mode 100644 index 0000000..56ed5c9 --- /dev/null +++ b/Security/Enable secured login.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI] +"EnableSecureCredentialPrompting"=dword:1 diff --git a/Security/Force keep positive entries in DNS Cache for 4 hours.reg b/Security/Force keep positive entries in DNS Cache for 4 hours.reg new file mode 100644 index 0000000..a035509 --- /dev/null +++ b/Security/Force keep positive entries in DNS Cache for 4 hours.reg @@ -0,0 +1,5 @@ +Windows Registry Editor Version 5.00 + +; Force keep positive entries in DNS Cache for only 4 hours instead of the default 24 hours +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] +"MaxCacheTtl "=dword:00003840 diff --git a/Security/If an Administrator attempts a protected action - Silently Succeed.reg b/Security/If an Administrator attempts a protected action - Silently Succeed.reg new file mode 100644 index 0000000..15af8aa --- /dev/null +++ b/Security/If an Administrator attempts a protected action - Silently Succeed.reg @@ -0,0 +1,5 @@ +Windows Registry Editor Version 5.00 + +;If an Administrator attempts a protected action - Silently Succeed +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] +"ConsentPromptBehaviorAdmin"=dword:00000000 diff --git a/Security/Internet Explorer/Disable unimportant error msgs.reg b/Security/Internet Explorer/Disable unimportant error msgs.reg new file mode 100644 index 0000000..c3e6d3e --- /dev/null +++ b/Security/Internet Explorer/Disable unimportant error msgs.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main] +"Friendly http errors"="yes" diff --git a/Security/Internet Explorer/Do not allow automatically installations of addons.reg b/Security/Internet Explorer/Do not allow automatically installations of addons.reg new file mode 100644 index 0000000..4a6425a --- /dev/null +++ b/Security/Internet Explorer/Do not allow automatically installations of addons.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions] +"NoJITSetup"=dword:1 diff --git a/Security/Internet Explorer/Do not allow to import or export favourites.reg b/Security/Internet Explorer/Do not allow to import or export favourites.reg new file mode 100644 index 0000000..5da45fc --- /dev/null +++ b/Security/Internet Explorer/Do not allow to import or export favourites.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer] +"DisableImportExportFavorites"=dword:1 + +[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer] +"DisableImportExportFavorites"=dword:1 diff --git a/Security/Internet Explorer/Internet Explorer configuration example.reg b/Security/Internet Explorer/Internet Explorer configuration example.reg new file mode 100644 index 0000000..659e521 Binary files /dev/null and b/Security/Internet Explorer/Internet Explorer configuration example.reg differ diff --git a/Security/Internet Explorer/Restict unsafe online help functions.reg b/Security/Internet Explorer/Restict unsafe online help functions.reg new file mode 100644 index 0000000..bb6ea32 --- /dev/null +++ b/Security/Internet Explorer/Restict unsafe online help functions.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] +"HelpQualifiedRootDir"=hex(2):00,00 + +[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System] +"HelpQualifiedRootDir"=hex(2):00,00 diff --git a/Security/LAN/no lmhash on passwort change on LAN.reg b/Security/LAN/no lmhash on passwort change on LAN.reg new file mode 100644 index 0000000..27c5500 --- /dev/null +++ b/Security/LAN/no lmhash on passwort change on LAN.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA] +"nolmhash"=dword:1 diff --git a/Security/MSI/Do not allow the Windows Installer to install anything from removable drives.reg b/Security/MSI/Do not allow the Windows Installer to install anything from removable drives.reg new file mode 100644 index 0000000..8af4f73 --- /dev/null +++ b/Security/MSI/Do not allow the Windows Installer to install anything from removable drives.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer] +"DisableMedia"=dword:1 diff --git a/Security/Only allow specific shell extensions.reg b/Security/Only allow specific shell extensions.reg new file mode 100644 index 0000000..62a8b0b --- /dev/null +++ b/Security/Only allow specific shell extensions.reg @@ -0,0 +1,7 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] +"[RSW:VALUELIST]"="" + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] +"[RSW:VALUELIST]"="" diff --git a/Security/Restrict Anonymous User.reg b/Security/Restrict Anonymous User.reg new file mode 100644 index 0000000..ffbe1bb --- /dev/null +++ b/Security/Restrict Anonymous User.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] +"RestrictAnonymous"=dword:1 diff --git a/Security/Security Center/Activate Security Center for Domain PC's.reg b/Security/Security Center/Activate Security Center for Domain PC's.reg new file mode 100644 index 0000000..9461aef --- /dev/null +++ b/Security/Security Center/Activate Security Center for Domain PC's.reg @@ -0,0 +1,4 @@ +Windows Registry Editor Version 5.00 + +[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Security Center] +"SecurityCenterInDomain"=dword:1 diff --git a/Security/Security Center/Configure the Security Center.reg b/Security/Security Center/Configure the Security Center.reg new file mode 100644 index 0000000..4702954 --- /dev/null +++ b/Security/Security Center/Configure the Security Center.reg @@ -0,0 +1,6 @@ +Windows Registry Editor Version 5.00 + +; Warn on missing AV and if Firewall gets deactivated +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] +"FirewallOverride"=dword:1 +"AntiVirusOverride"=dword:1 diff --git a/Security/Telemetry/all-in-one.bat b/Security/Telemetry/all-in-one.bat new file mode 100644 index 0000000..a3e5c84 --- /dev/null +++ b/Security/Telemetry/all-in-one.bat @@ -0,0 +1,83 @@ +REM keeping win7 clean !!!! (change this file CleanWin7.txt extension to cmd and run) + +:: reg hacks ------------------------------------------- +REM disable downloaded w10 files +reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx /f /v DisableGwx /t REG_DWORD /d 1 +REM disable upgrade requests +reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f /v DisableOSUpgrade /t REG_DWORD /d 1 + +:: services --------------------------------------------- +sc config DiagTrack start= disabled +net stop DiagTrack + +:: scheduled tasks reporting to Redmond ----------- +schtasks /Change /TN "\Microsoft\Windows\Application Experience\AitAgent" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE +REM schtasks /Change /TN "\Microsoft\Windows\Autochk\Media Center\*all*" /DISABLE +REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\launchtrayprocess" /DISABLE +REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfig" /DISABLE +REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" /DISABLE +REM schtasks /Change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxcontent" /DISABLE +schtasks /Change /TN "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE + +:: evil updates ----------------------------------------- + +REM kb971033 License validation check +start "title" /b /wait wusa.exe /kb:971033 /uninstall /quiet /norestart + +REM kb2876229 Skype +start "title" /b /wait wusa.exe /kb:2876229 /uninstall /quiet /norestart + +REM kb2952664 Compatibility update for upgrading Windows 7 +start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart + +REM kb2976978 Compatibility update for Windows 8.1 and Windows 8 +start "title" /b /wait wusa.exe /kb:2976978 /uninstall /quiet /norestart + +REM kb2977759 - W10 Diagnostics Compatibility telemetry +start "title" /b /wait wusa.exe /kb:2977759 /uninstall /quiet /norestart + +REM kb2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows +start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart + +REM kb3012973 Upgrade to Windows 10 Pro +start "title" /b /wait wusa.exe /kb:3012973 /uninstall /quiet /norestart + +REM kb3021917 Update to Windows 7 SP1 for performance improvements +start "title" /b /wait wusa.exe /kb:3021917 /uninstall /quiet /norestart + +REM kb3022345 Update for customer experience and diagnostic telemetry (replace with KB3068708) +start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart + +REM kb3035583 Update installs get windows 10 app in Windows 8.1 and Windows 7 SP1 +start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart + +REM kb3044374 - W8,8.1 Nagware for W10 +start "title" /b /wait wusa.exe /kb:3044374 /uninstall /quiet /norestart + +REM kb3050265 - Windows Update service updated to accept upgrade to W10 +start "title" /b /wait wusa.exe /kb:3050265 /uninstall /quiet /norestart + +REM kb3065987 - update for Windows Update (v7 v2008) +start "title" /b /wait wusa.exe /kb:3065987 /uninstall /quiet /norestart + +REM kb3068707 - Customer experience telemetry points +start "title" /b /wait wusa.exe /kb:3068707 /uninstall /quiet /norestart + +REM kb3068708 (replaces KB3022345) Update for customer experience and diagnostic telemetry +start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart + +REM kb3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 +start "title" /b /wait wusa.exe /kb:3075249 /uninstall /quiet /norestart + +REM kb3080149 Update for customer experience and diagnostic telemetry +start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart + +REM Remember to *hide* all these in Windows Update \ No newline at end of file diff --git a/Security/Telemetry/badupdateremover.bat b/Security/Telemetry/badupdateremover.bat new file mode 100644 index 0000000..1d60997 --- /dev/null +++ b/Security/Telemetry/badupdateremover.bat @@ -0,0 +1,29 @@ +@echo off + +if %1. == . goto usage + +set UNINSTALLX=uninstall-%1-updates.cmd +set HIDEX=hide-%1-updates.ps +set BADUPDATES= + +echo %1 +if %1 == win7 set BADUPDATES=971033 2952664 2977759 2990214 3021917 3022345 3035583 3050265 3065987 3068708 3075249 3080149 +if %1 == win81 set BADUPDATES=2976978 3022345 3035583 3044374 3050267 3068708 3075249 3075853 3080149 +if %1 == w2008r2 set BADUPDATES=3022345 3050265 3065987 3068708 3080149 +if %1 == w2012r2 set BADUPDATES=3022345 3068708 3075853 3080140 +if not defined BADUPDATES goto usage + +echo %BADUPDATES% +if exist %UNINSTALLX% del %UNINSTALLX% +if exist %HIDEX% del %HIDEX% +for %%n in (%BADUPDATES%) do ( + echo start /w wusa.exe /uninstall /kb:%%n /norestart >> %UNINSTALLX% + echo Hide-WUUpdate -Confirm:$false -HideStatus:$true -KBArticleID KB%%n >> %HIDEX% +) +goto end + +:usage +echo Okay, you didn't give the right parameter... it needs to be win7, win81, w2008r2 or w2012r2 + +:end +echo. \ No newline at end of file diff --git a/Security/Telemetry/telemetryremover.vbs b/Security/Telemetry/telemetryremover.vbs new file mode 100644 index 0000000..62e62c3 --- /dev/null +++ b/Security/Telemetry/telemetryremover.vbs @@ -0,0 +1,30 @@ +Dim hideupdates(9) + +hideupdates(0) = "KB2952664" +hideupdates(1) = "KB2990214" +hideupdates(2) = "KB3021917" +hideupdates(3) = "KB3035583" +hideupdates(4) = "KB3068708" +hideupdates(5) = "KB2977759" +hideupdates(6) = "KB3075249" +hideupdates(7) = "KB3080149" +hideupdates(8) = "KB3050265" +hideupdates(9) = "KB3022345" + + +set updateSession = createObject("Microsoft.Update.Session") +set updateSearcher = updateSession.CreateupdateSearcher() + +Set searchResult = updateSearcher.Search("IsInstalled=0 and Type='Software'") + +For i = 0 To searchResult.Updates.Count-1 +set update = searchResult.Updates.Item(i) +For j = LBound(hideupdates) To UBound(hideupdates) +'MsgBox hideupdates(j) +if instr(1, update.Title, hideupdates(j), vbTextCompare) = 0 then + 'Wscript.echo "No match found for " & hideupdates(j) +else +Wscript.echo "Hiding " & hideupdates(j) +update.IsHidden = True +end if +Next \ No newline at end of file diff --git a/Security/Telemetry/wiper.bat b/Security/Telemetry/wiper.bat new file mode 100644 index 0000000..22ab3b3 --- /dev/null +++ b/Security/Telemetry/wiper.bat @@ -0,0 +1,75 @@ +ECHO OFF +REM --- remember to invoke from ELEVATED command prompt! +REM --- or start the batch with context menu "run as admin". +SETLOCAL + +REM --- (as of 2015-08-26): +REM KB3012973 - Upgrade to Windows 10 Pro +REM KB3021917 - Update to Windows 7 SP1 for performance improvements +REM KB3035583 - GWX Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 +REM KB2952664 - Compatibility update for upgrading Windows 7 +REM KB2976978 - Compatibility update for Windows 8.1 and Windows 8 +REM KB3022345 - Telemetry [Replaced by KB3068708] +REM KB3068708 - Update for customer experience and diagnostic telemetry +REM KB2990214 - Update that enables you to upgrade from Windows 7 to a later version of Windows +REM KB3075249 - Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 +REM KB3080149 - Update for customer experience and diagnostic telemetry +REM KB3044374 - W8,8.1 Nagware for W10 +REM KB2977759 - W10 Diagnostics Compatibility Telemetry +REM KB3050265 - Windwos Update services update to upgrade to W10 +REM KB3068707 - Customer experience telemetry point. W7,8,8.1 + + +REM --- uninstall updates +echo uninstalling updates ... +start "title" /b /wait wusa.exe /kb:3012973 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3021917 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3035583 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:2976978 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3022345 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3068708 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:2990214 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3075249 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3080149 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3044374 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:2977759 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3050265 /uninstall /quiet /norestart +echo - done. +start "title" /b /wait wusa.exe /kb:3068707 /uninstall /quiet /norestart +echo - done. + +timeout 10 + +echo ... COMPLETED (please remember to REBOOT, and Hide the Following KB Updates) +echo ...3012973 +echo ...3021917 +echo ...3035583 +echo ...2952664 +echo ...2976978 +echo ...3022345 +echo ...3068708 +echo ...2990214 +echo ...3075249 +echo ...3080149 +echo ...3044374 +echo ...2977759 +echo ...3050265 +echo ...3068707 +echo - done. + + +pause +REM --- EOF \ No newline at end of file