Windows and Linux Threat Hunting

Windows and Linux Threat Hunting

  • Windows ASEPs
    • https://cyberforensicator.com/2019/04/25/characteristics-and-detectability-of-windows-auto-start-extensibility-points-in-memory-forensics/
    • https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/
    • https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/
  • Windows 11 Artifacts
    • Prefetch
    • Link Files
    • Jumplists
    • Recycle Bin
    • Amcache
    • AppCompatCache
    • Registry
    • Event Logs
    • https://github.com/EricZimmerman?tab=repositories
  • Persistence

AuditD

shadow files

  • btrfs
  • ecryptfs
  • ext2
  • ext3
  • ext4
  • fuse
  • fuseblk
  • jfs
  • nfs
  • overlay
  • ramfs
  • reiserfs
  • tmpfs
  • udf
  • vfat
  • xfs

Research

Mobile Phone Digital Forensics

Mobile Phone Digital Forensics

I was a aware of Law enforcement capabilities to access to Mobile Phone Digital Forensics, but, did’t put much thought into it, until, I started to watch a late night documentary, called, Forensics: The Real CSI Season 1, Episode 3 . In this Episode, it shows a real live example of capturing evidence against a criminal. Here is some research on the same..

You can watch the documentary here;

The software in use, looks like Cellebrite or elcomsoft, checking the website, it shows the following support;

  • Devices iOS
    • .devices iPhone of extraction system file full a perform and locks Determine
    • .(on kept be must device (iPhones locked to access) AFU (Unlock-First-After Gain•
    • .passcode device the knowing without extraction) BFU (Unlock-First-Before Perform•
    • ,attachments email and emails downloaded, conversations chat, data app party 3rd decode and Access•
    • .more and content deleted
  • Devices Android
    • system file full a or) Encryption Disk Full (extraction physical a perform and locks determine or Bypass•
    • .market the on devices Android most on) Encryption Based-File (extraction
    • Based-File with protected devices Android locked to access) AFU (Unlock-First-After Gain•
    • .(FBE (Encryption
    • .(FDE (Encryption Disk Full with devices Android locked for passcodes Startup Secure Determine•
    • Xiaomi and, PrivateSpace Huawei, Folder Secure Samsung like containers secure in stored data Access•
    • .Space Second
    • Unlock latest the devices from ZTE, Xiaomi, Sony, Samsung, OnePlus, Nokia, Motorola, LG, Huawei .
  • Secure Enclave

Securing iPhone

Not to get into a Android vs iPhone augment, but if are using Android phone, good luck with Security;

  1. Maintain the latest OS updates.
  2. Use Apple Configurator to restrict pairing to only the host running Configurator. This will prevent pairing the device to another host, even when it is unlocked.
  3. On the iOS device, tapping “Erase All Content and Settings” is the only way to clear all of its pairings (in addition to all of the other data stored on the device).
  4. For a less destructive way to clear pairings, backup the device through iTunes (encrypt backup with a strong passphrase), “Erase All Content and Settings” on the iOS device, and then restore device settings and data using iTunes
  5. Update Locked Downed Records
    1. https://support.apple.com/en-us/HT202778
    2. Pairing relationships established with devices running iOS 7 or earlier never expire and survive reboots and factory resets. Once such devices get updated to iOS 8 or newer, all existing trust relationships are revoked and must be re-established under new rules.
    3. Since iOS 8, all pairing relationships remain unavailable after the device restarts or powers on until the device is unlocked (at least once) with a passcode.

Research

DetectX.com.au – Disclaimer

This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.

Thoughts and comments are my own as a security enthusiast and should not be quoted in any other context related to my employer.

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Photos

Unless stated, all photos are the work of site owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to detectx.com.au. For any reuse of blog, please contact me first.

Content

Creative Commons License

Unless stated, all content are the work of site owner and are licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. Please credit all content to detectx.com.au and link back to the original blog post.

Downloadable Files

Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.

Comments

Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to

  1. Comments deemed to be spam or questionable spam
  2. Comments including profanity
  3. Comments containing language or concepts that could be deemed offensive
  4. Comments containing hate speech, credible threats, or direct attacks on an individual or group

INFORMATION ARE PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESE SOLUTIONS OR THE USE OR OTHER DEALINGS WITH ANY OF THESE SOLUTIONS. “USE AT YOUR OWN RISK.”

The blog owner is not responsible for the content in comments.

This policy is subject to change at anytime.

This is free and unencumbered software released into the public domain.

Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.

In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit
of the public at large and to the detriment of our heirs and
successors. We intend this dedication to be an overt act of
relinquishment in perpetuity of all present and future rights to this
software under copyright law.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

For more information, please refer to <http://unlicense.org/>

Detectx.com.au is alive!

Hello and welcome to detectx.com.au, this blogs intent is to create a central resource for Cloud Security with information for combined fields including; security architecture, SecOps, security automation (DevSecOps), incident respond, penetration testing, threat intelligence, threat hunting, focused on Public Cloud (Azure, GCP and AWS.)

  • Cloud Security Penetration Testing. Red Teaming. (e.g. TIBER-EU)
  • Cloud Security Digital Forensics.
  • Cloud Security Architecture and Detection Engineering. (Blue Teaming)
  • Cloud Security Incident Response.
  • Cloud Security Strategy and Risk Assessment.
  • Cloud Security Proactive Threat Hunting.
  • Cloud Security Monitoring and Compliance.
  • Cloud Security Automation.
  • Serverless, Container, SaaS, API and Web Security.

Proactive Threat Hunting is a unique combination of skills and it is not something that is commonly promoted.

Proactive Threat Hunting rises from Digital Forensic and Incident Response. It is about all the environment-wide insights and analysis. Threat hunting doesn’t consist of incidents investigation, it is a proactive search of known and unknown threats, so a threat hunter can’t just sit and wait until something happens. Human-led reactive and proactive threat hunting based on risk analysis and integrated threat intelligence feeds to augment indicators of compromise

Threat hunting expertise. Reactive threat hunting, targeted threat hunting, and proactive threat hunting all are important in helping organizations improve security maturity and strengthen their defenses. Another key differentiator is continuous proactive threat hunting, which is an optimal preventive strategy.

Threat Hunting utilises EDR and XDR in its purest form is a platform that offers detection and response capabilities utilizing e(X)tended telemetry sources that is managed by the purchasing entity.

This blog will include articles, PodCasts, Source Code, templates, Screencasts, Best practices guides, documentation template and Research into various aspects of Cyber Security.

Why write blogs; The Protégé Effect: How You Can Learn by Teaching Others

The protégé effect is a psychological phenomenon where teaching, pretending to teach, or preparing to teach information to others helps a person learn that information.

https://medium.com/accelerated-intelligence/explanation-effect-why-you-should-always-teach-what-you-learn-9800983a0ea1

DetectX Social media links

I will cull some of the above depending on popularity.

Rules for PodCasts and Blogs

  • 30 mins concise (not waste of time, straight to the point and Topic.) Allot of PodCast is like listening to two people talk without any structure and goes on forever.
  • Easy PodCast must have corresponding Show Notes, ToC, Blog and Reference of all things discussed.
  • Provide a forum and discussion via Discord.
  • Content relevant to Australian Cyber Security industry.

It is peculiar irony in life that the fastest and best way to learn something is to give it to others as soon as you learn it — not to hog it yourself.

If you would like to support, please share, subscribe to the followings;

Windows 8 and Server 2012 Optimisation Guide for Citrix VDI

Windows 8 and Server 2012 Optimization Guide for Citrix VDI

[source]
‘ Title: Windows 8 and Server 2012 VDI Optimization Script
‘ Author: Pablo Legorreta
‘ Modifications: Steven Krueger &amp;amp; William Elvington

‘ Special thanks to Jonathan Bennett (AutoITScript)
‘ for creating a wonderful optimizer tool and to Jeff Stokes (MSFT)
‘ for creating the original baseline script for Windows 7


‘ Purpose: The following script will prepare a Windows 8 or Server 2012
‘ static image for VDI deployment based on MSFT and Citrix recommendations.

‘ Requirements: Administrative Privileges, Registry backup – Just in case 😉

‘ // ==============
‘ // Variables
‘ // ==============

‘ Constants
Const ForReading = 1
Const Disable_Aero = False
Const Disable_BranchCache = False
Const Disable_EFS = False
Const Disable_iSCSI = False
Const Disable_MachPass = False
Const Disable_Search = False

Const Install_NetFX3 = False
Const NetFX3_Source = &quot;D:\Sources\SxS&quot;

‘ Common objects
Set oShell = WScript.CreateObject (&quot;WScript.Shell&quot;)
Set oFSO = CreateObject(&quot;Scripting.FileSystemObject&quot;)
Set oEnv = oShell.Environment(&quot;User&quot;)

‘ Command Line Arguments for Some Settings
Set colNamedArguments = WScript.Arguments.Named

If colNamedArguments.Exists(&quot;Aero&quot;) Then
strAero = colNamedArguments.Item(&quot;Aero&quot;)
Else
strAero = Disable_Aero
End If

If colNamedArguments.Exists(&quot;BranchCache&quot;) Then
strBranchCache = colNamedArguments.Item(&quot;BranchCache&quot;)
Else
strBranchCache = Disable_BranchCache
End If

If colNamedArguments.Exists(&quot;EFS&quot;) Then
strEFS = colNamedArguments.Item(&quot;EFS&quot;)
Else
strEFS = Disable_EFS
End If

If colNamedArguments.Exists(&quot;iSCSI&quot;) Then
striSCSI = colNamedArguments.Item(&quot;iSCSI&quot;)
Else
striSCSI = Disable_iSCSI
End If

If colNamedArguments.Exists(&quot;MachPass&quot;) Then
strMachPass = colNamedArguments.Item(&quot;MachPass&quot;)
Else
strMachPass = Disable_MachPass
End If

If colNamedArguments.Exists(&quot;Search&quot;) Then
strSearch = colNamedArguments.Item(&quot;Search&quot;)
Else
strSearch = Disable_Search
End If

If colNamedArguments.Exists(&quot;NetFX3&quot;) Then
strNetFX3 = colNamedArguments.Item(&quot;NetFX3&quot;)
Else
strNetFX3 = Install_NetFX3
End If

‘ Enable RDP Connections
RunWait &quot;WMIC rdtoggle where AllowTSConnections=0 call SetAllowTSConnections 1,1&quot;
RunWait &quot;netsh advfirewall firewall set rule group=&quot; &amp;amp; Chr(34) &amp;amp; &quot;remote desktop&quot; &amp;amp; Chr(34) &amp;amp; &quot; new enable=Yes&quot;

‘ // ==================
‘ // Service Settings
‘ // ==================

‘ Disable Application Layer Gateway Service
RunWait &quot;sc config ALG start= disabled&quot;

‘ Disable Background Intelligent Transfer Service
RunWait &quot;sc config BITS start= disabled&quot;

‘ Disable Bitlocker Drive Encryption Service
RunWait &quot;sc config BDESVC start= disabled&quot;

‘ Disable Block Level Backup Engine Service
RunWait &quot;sc config wbengine start= disabled&quot;

‘ Disable Bluetooth Support Service
RunWait &quot;sc config bthserv start= disabled&quot;

If strBranchCache = True Then
‘ Disable BranchCache Service
RunWait &quot;sc config PeerDistSvc start= disabled&quot;
End If

‘ Disable Computer Browser Service
RunWait &quot;sc config Browser start= disabled&quot;

‘ Disable Device Association Service
RunWait &quot;sc config DeviceAssociationService start= disabled&quot;

‘ Disable Device Setup Manager Service
RunWait &quot;sc config DsmSvc start= disabled&quot;

‘ Disable Diagnostic Policy Services
RunWait &quot;sc config DPS start= disabled&quot;
RunWait &quot;sc config WdiServiceHost start= disabled&quot;
RunWait &quot;sc config WdiSystemHost start= disabled&quot;

‘ Disable Distributed Link Tracking Client Service
RunWait &quot;sc stop TrkWks&quot;
RunWait &quot;sc config TrkWks start= disabled&quot;

If strEFS = True Then
‘ Disable Encrypting File System Service
RunWait &quot;sc config EFS start= disabled&quot;
End If

‘ Disable Family Safety Service
RunWait &quot;sc config WPCSvc start= disabled&quot;

‘ Disable Fax Service
RunWait &quot;sc config Fax start= disabled&quot;

‘ Disable Function Discovery Resource Publication Service
RunWait &quot;sc config FDResPub start= disabled&quot;

‘ Disable HomeGroup Listener Service
RunWait &quot;sc config HomeGroupListener start= disabled&quot;

‘ Disable HomeGroup Provider Service
RunWait &quot;sc config HomeGroupProvider start= disabled&quot;

If striSCSI = True Then
‘ Disable Microsoft iSCSI Initiator Service
RunWait &quot;sc config msiscsi start= disabled&quot;
End If

‘ Disable Microsoft Software Shadow Copy Provider Service
RunWait &quot;sc config swprv start= disabled&quot;

‘ Set Network List Service to Auto
RunWait &quot;sc config netprofm start= auto&quot;

‘ Disable Offline Files
RunWait &quot;sc config CscService start= disabled&quot;

‘ Disable Optimize Drives Service
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\defrag\ScheduledDefrag&quot;&quot; /disable&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\Enable&quot;, &quot;N&quot;, &quot;REG_SZ&quot;
RunWait &quot;sc config defragsvc start= disabled&quot;

‘ Disable Secure Socket Tunneling Protocol Service
RunWait &quot;sc config SstpSvc start= disabled&quot;

‘ Disable Security Center
RunWait &quot;sc config wscsvc start= disabled&quot;

‘ Disable Sensor Monitoring Service
RunWait &quot;sc config SensrSvc start= disabled&quot;

‘ Disable Shell Hardware Detection Service
RunWait &quot;sc config ShellHWDetection start= disabled&quot;

‘ Disable SNMP Trap Service
RunWait &quot;sc config SNMPTRAP start= disabled&quot;

‘ Disable SSDP Discovery Service
RunWait &quot;sc stop SSDPSRV&quot;
RunWait &quot;sc config SSDPSRV start= disabled&quot;

‘ Disable SuperFetch
RunWait &quot;sc config SysMain start= disabled&quot;

‘ Disable Telephony Service
RunWait &quot;sc config TapiSrv start= disabled&quot;

If strAero = True Then
‘ Disable Themes Service
RunWait &quot;sc config Themes start= disabled&quot;
End If

‘ Disable UPnP Device Host Service
RunWait &quot;sc config upnphost start= disabled&quot;

‘ Disable Volume Shadow Copy Service
RunWait &quot;sc config VSS start= disabled&quot;

‘ Disable Windows Backup Service
RunWait &quot;sc config SDRSVC start= disabled&quot;

‘ Disable Windows Color System Service
RunWait &quot;sc config WcsPlugInService start= disabled&quot;

‘ Disable Windows Connect Now – Config Registrar Service
RunWait &quot;sc config wcncsvc start= disabled&quot;

‘ Disable Windows Defender Service
RunWait &quot;sc config WinDefend start= disabled&quot;

‘ Disable Windows Error Reporting Service
RunWait &quot;sc config WerSvc start= disabled&quot;

‘ Disable Windows Media Player Network Sharing Service
RunWait &quot;sc config WMPNetworkSvc start= disabled&quot;

‘ Break out Windows Management Instrumentation Service
RunWait &quot;winmgmt /standalonehost&quot;
RunWait &quot;sc config winmgmt group= COM Infrastructure&quot;

‘ Disable Windows Search Service
If strSearch = True Then
RunWait &quot;sc stop WSearch&quot;
RunWait &quot;sc config WSearch start= disabled&quot;
End If

‘ Disable Windows Updates
RunWait &quot;sc config wuauserv start= disabled&quot;

‘ Disable WLAN AutoConfig Service
RunWait &quot;sc config Wlansvc start= disabled&quot;

‘ Disable WWAN AutoConfig Service
RunWait &quot;sc config WwanSvc start= disabled&quot;

‘ // ================
‘ // Computer Settings
‘ // ================

‘ Disable Hard disk timeouts
RunWait &quot;POWERCFG /SETACVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0&quot;
RunWait &quot;POWERCFG /SETDCVALUEINDEX 381b4222-f694-41f0-9685-ff5bb260df2e 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0&quot;

‘ Disable Action Center
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Optimize Processor Resource Scheduling
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl\Win32PrioritySeparation&quot;, &amp;amp;H00000026, &quot;REG_DWORD&quot;

‘ Disable TCP/IP / Large Send Offload
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Disable hibernate
RunWait &quot;powercfg -h off&quot;

‘ Disable NTFS Last Access Timestamps
RunWait &quot;FSUTIL behavior set disablelastaccess 1&quot;

If strMachPass = True Then
‘ Disable Machine Account Password Changes
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;
End If

‘ Disable memory dumps
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\LogEvent&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\SendAlert&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Disable default system screensaver
oShell.RegWrite &quot;HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive&quot;, 0, &quot;REG_DWORD&quot;

‘ Increase service startup timeouts
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServicesPipeTimeout&quot;, &amp;amp;H0002bf20, &quot;REG_DWORD&quot;

‘ Increase Disk I/O Timeout to 200 seconds.
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\TimeOutValue&quot;, &amp;amp;H000000C8, &quot;REG_DWORD&quot;

‘ Disable Other Scheduled Tasks
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Application Experience\AitAgent&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Application Experience\ProgramDataUpdater&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Application Experience\StartupAppTask&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Autochk\Proxy&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Bluetooth\UninstallDeviceTask&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Customer Experience Improvement Program\BthSQM&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Customer Experience Improvement Program\Consolidator&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Customer Experience Improvement Program\KernelCeipTask&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Customer Experience Improvement Program\Uploader&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Customer Experience Improvement Program\UsbCeip&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Diagnosis\Scheduled&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Maintenance\WinSAT&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\MobilePC\HotStart&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Power Efficiency Diagnostic\AnalyzeSystem&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\RAC\RacTask&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Ras\MobilityManager&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Registry\RegIdleBackup&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Shell\FamilySafetyMonitor&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Shell\FamilySafetyRefresh&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\SideShow\AutoWake&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\SideShow\GadgetManager&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\SideShow\SessionAgent&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\SideShow\SystemDataProviders&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\UPnP\UPnPHostConfig&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\WDI\ResolutionHost&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Windows Filtering Platform\BfeOnServiceStartTypeChange&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\Windows Media Sharing\UpdateLibrary&quot;&quot; /disable&quot;
RunWait &quot;schtasks /change /tn &quot;&quot;microsoft\windows\WindowsBackup\ConfigNotification&quot;&quot; /disable&quot;

‘ Configure Event Logs to 1028KB (Minimum size under Vista/7) and set retention to &quot;overwrite&quot;
Set oEventLogs = GetObject(&quot;winmgmts:{impersonationLevel=impersonate,(Security)}!//./root/cimv2&quot;).InstancesOf(&quot;Win32_NTEventLogFile&quot;)
For Each e in oEventLogs
e.MaxFileSize = 1052672
e.OverWritePolicy = &quot;WhenNeeded&quot;
e.OverWriteOutdated = 0
e.Put_
e.ClearEventLog()
Next

oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\Application\Retention&quot;, 0, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\Security\Retention&quot;, 0, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog\System\Retention&quot;, 0, &quot;REG_DWORD&quot;

‘ Set PopUp Error Mode to &quot;Neither&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows\ErrorMode&quot;, 2, &quot;REG_DWORD&quot;

‘ Disable bootlog and boot animation
RunWait &quot;bcdedit /set {default} bootlog no&quot;
RunWait &quot;bcdedit /set {default} quietboot yes&quot;

‘ Disable UAC secure desktop prompt
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;

‘ Disable New Network dialog
RunWait &quot;reg add HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff&quot;

‘ Disable AutoUpdate of drivers from WU
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching\searchorderConfig&quot;, 0, &quot;REG_DWORD&quot;

‘ Turn off Windows SideShow and install NetFX3
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow\Disabled&quot;, 1, &quot;REG_DWORD&quot;
If strNetFX3 = True Then
RunWait &quot;dism /online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:&quot; &amp;amp; NetFX3_Source &amp;amp; &quot; /NoRestart&quot;
End If

‘ Disable IE First Run Wizard and RSS Feeds
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize&quot;, 1, &quot;REG_DWORD&quot;

‘ Disable the ability to clear the paging file during shutdown
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\ClearPageFileAtShutdown&quot;, 0, &quot;REG_DWORD&quot;

‘ Disable Internet Explorer Enhanced Security Enhanced
oShell.RegWrite &quot;HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073\IsInstalled&quot;, 0, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073\IsInstalled&quot;, 0, &quot;REG_DWORD&quot;

‘ Disables Background Layout Service
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout\EnabledAutoLayout&quot;, 0, &quot;REG_DWORD&quot;

‘ Disables CIFS Change Notifications
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteRecursiveEvents&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Disable Data Execution Prevention
RunWait &quot;bcdedit /set nx AlwaysOff&quot;

‘ Set Power Saving Scheme to High Performance
RunWait &quot;powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c&quot;

‘ Set Recovery Dump to Small
RunWait &quot;wmic recoveros set DebugInfoType = 3&quot;

‘ Perform a disk cleanup
‘ Automate by creating the reg checks corresponding to &quot;cleanmgr /sageset:100&quot; so we can use &quot;sagerun:100&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Active Setup Temp Folders\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Downloaded Program Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Internet Cache Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Memory Dump Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Offline Pages Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Old ChkDsk Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations\StateFlags0100&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle Bin\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Setup Log Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error memory dump files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error minidump files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Upgrade Discarded Files\StateFlags0100&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Archive Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Queue Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Archive Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Queue Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Upgrade Log Files\StateFlags0100&quot;, &amp;amp;H00000002, &quot;REG_DWORD&quot;
RunWait &quot;cleanmgr.exe /sagerun:100&quot;

‘ // =============
‘ // User Settings
‘ // =============

‘ Reduce menu show delay
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\MenuShowDelay&quot;, &quot;0&quot;, &quot;REG_SZ&quot;

‘ Disable cursor blink
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\CursorBlinkRate&quot;, &quot;-1&quot;, &quot;REG_SZ&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\DisableCursorBlink&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Force off-screen composition in IE
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Force Offscreen Composition&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Disable screensavers
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive&quot;, &quot;0&quot;, &quot;REG_SZ&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive&quot;, &quot;0&quot;, &quot;REG_SZ&quot;
oShell.RegWrite &quot;HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive&quot;, &quot;0&quot;, &quot;REG_SZ&quot;

‘ Don’t show window contents when dragging
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\DragFullWindows&quot;, &quot;0&quot;, &quot;REG_SZ&quot;

‘ Don’t show window minimize/maximize animations
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics\MinAnimate&quot;, &quot;0&quot;, &quot;REG_SZ&quot;

‘ Disable font smoothing
oShell.RegWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop\FontSmoothing&quot;, &quot;0&quot;, &quot;REG_SZ&quot;

‘ Disable most other visual effects
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\VisualFXSetting&quot;, &amp;amp;H00000003, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarAnimations&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow&quot;, &amp;amp;H00000000, &quot;REG_DWORD&quot;
RegBinWrite &quot;HKEY_CURRENT_USER\Control Panel\Desktop&quot;, &quot;UserPreferencesMask&quot;, &quot;90,12,01,80&quot;

‘ Disable Action Center
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth&quot;, &amp;amp;H00000001, &quot;REG_DWORD&quot;

‘ Disable IE Persistent Cache
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Persistent&quot;, 0, &quot;REG_DWORD&quot;
oShell.RegWrite &quot;HKEY_CURRENT_USER\Software\Microsoft\Feeds\SyncStatus&quot;, 0, &quot;REG_DWORD&quot;

‘ Done
WScript.Quit

‘ // ================
‘ // Functions
‘ // ================

Function Run(sFile)
Run = oShell.Run(sFile, 1, False)
End Function

Function RunWait(sFile)
RunWait = oShell.Run(sFile, 1, True)
End Function

Function RunWaitHidden(sFile)
RunWaitHidden = oShell.Run(sFile, 0, True)
End Function

Function IsServer()
IsServer = False
On Error Resume Next
For Each objOS in GetObject(&quot;winmgmts:&quot;).InstancesOf (&quot;Win32_OperatingSystem&quot;)
If objOS.ProductType = 1 Then IsServer = False
If objOS.ProductType = 2 Or ObjOS.ProductType = 3 Then IsServer = True
Next
End Function

Sub RegBinWrite (key, value, data)
key = &quot;[&quot; &amp;amp; key &amp;amp; &quot;]&quot;

If value &amp;lt;&amp;gt; &quot;@&quot; then
value = chr(34) &amp;amp; value &amp;amp; chr(34)
End if

valString = value &amp;amp; &quot;=&quot; &amp;amp; &quot;hex:&quot; &amp;amp; data

tempFile = GetTempDir() &amp;amp; &quot;\regbinaryimport.reg&quot;
Set txtStream = oFSO.CreateTextFile(tempFile,true)
txtStream.WriteLine(&quot;Windows Registry Editor Version 5.00&quot;)
txtStream.WriteLine(key)
txtStream.WriteLine(valString)
txtStream.Close

oShell.Run &quot;regedit.exe /s &quot;&quot;&quot; &amp;amp; tempFile &amp;amp; &quot;&quot;&quot;&quot;, 1, true

oFSO.DeleteFile tempFile
End Sub

Function GetTEMPDir()
GetTEMPDir = oEnv(&quot;TEMP&quot;)
If InStr(GetTEMPDir, &quot;%&quot;) Then
GetTEMPDir = oShell.ExpandEnvironmentStrings(GetTEMPDir)
End If
End Function

[/source]

 

Tweaks

  • Superfetch
  • Themes
  • Windows Audio
  • Windows Audio Endpoint Builder
  • Google Update Service
  • Window Search
  • Internet Connection Sharing
  • Media Center Extender Service
  • Routing and Remote Access
  • Adobe Flash Player Update Service
  • Fax