Hi guys, I need help for a small script again . getting ambitious hehe The script re-enable inheritence on key locked by WFC, allowing to disable firewall, then check for windows updates, then ask the user to re-set protection when he wants (secure profile+firewall ON). As usual, using Nsudo (and Abodi's technique to launch Nsudo) Code: @echo off cd %systemroot%\system32 call :IsAdmin %windir%\system32\reg.exe query "HKU\S-1-5-19" 1>nul 2>nul || goto :eof %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && ( goto :OK ) || ( "Nsudo" -U:T -P:E "%~dpnx0" goto :eof ) :OK @echo off SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" netsh advfirewall set currentprofile state off explorer /root, ms-settings:windowsupdate-action @echo Click on any key to re-enable secure profile now. @pause>nul netsh advfirewall set currentprofile state on SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" cmd/c Exit :IsAdmin Reg.exe query "HKU\S-1-5-19\Environment" If Not %ERRORLEVEL% EQU 0 ( Cls & echo You must have administrator rights to continue. echo Press any key to exit... pause >nul ) Cls goto:eof Most difficult was to find the set-acl mecanisms after finding WFC lock method, and I was doing everything in PS when I discovered set acl is also a cmdline tool... no more powershell -command" in script, no more p:full expression missing/not exist error, and script is way faster. Last thing I'd like now, is to hide the first commands...the one after : OK are visible. Processing ACL of: ... SetACL finished successfully... OK Even tried to add another @echo off in front but that didn't work... I'd would like to see only the "Click on any key to re-enable..." when running the script. and show "success" before closing window, if possible. Ps: Another example of how 1809 is not quite finished, when you update this way (ms-settings:windowsupdate-action) the rectangle outline of the Home in "Windows Update" is highlighted in black...it really looks like a GUI glitch.
To hide a line from showing any text on screen within a script just use >NUL 2>&1 on the end. But if any errors occur you won't see any! You could just use >NUL but sometimes it will still show, using the 2>&1 as well prevents anything shown. For example in your script: Code: SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1 and SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" >NUL 2>&1 That just sends any output to nothing for that line, if you wanted to send it to a log file use >>"logname.log" that too won't show anything on the screen as it is being redirected to the 'log' file instead.
Thanks for the tip, I guessed about the >nul in between (having copied it for the @ pause>nul command) but glad to know about the 2>&1 ,thanks Here's the new script: Code: @echo off %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && ( goto :OK ) || ( NSudo -U:T -P:E "%~dpnx0"&exit /b ) :OK SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl">NUL 2>&1 netsh advfirewall set currentprofile state off>NUL 2>&1 explorer /root, ms-settings:windowsupdate-action @echo Click on any key to re-enable Windows Firewall Control Secure Profile. @pause>nul netsh advfirewall set currentprofile state on SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read">NUL 2>&1 Timeout /T 1 /nobreak>NUL 2>&1 cmd/c Exit I left 1 line without the NUL value, just for the OK. message at the end and added a 1s Timeout to make the OK confirmation visible... Was a pain to right click WFC select profile:no filtering, click windows update, check for updates, right click WFC, select profile: medium filtering.
Have a question...is it possible instead of pause and finish manually to make it wait until update is downloaded, then apply the end of script (re-enable secure profile and close). And maybe, close windows update window while I'm at it... mxman2k abbodi1406 ? ok, I could add taskkill /F /IM SystemSettings.exe /T>NUL 2>&1 But after how to make the script "aware" when update download is complete? ok I made progress, better behavior: I only have to close windows update window now, but still not what I'd like. Code: @echo off %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && ( goto :OK ) || ( NSudo -U:T -P:E "%~dpnx0"&exit /b ) :OK SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl">NUL 2>&1 netsh advfirewall set currentprofile state off>NUL 2>&1 explorer /root, ms-settings:windowsupdate-action explorer /root, ms-settings:windowsupdate :LOOP tasklist | find /i "SystemSettings.exe">nul 2>&1 IF ERRORLEVEL 1 ( GOTO CONTINUE ) ELSE ( ECHO Windows Update still downloading... Timeout /T 3 /Nobreak>NUL 2>&1 GOTO LOOP2 ) :LOOP2 tasklist | find /i "SystemSettings.exe">nul 2>&1 IF ERRORLEVEL 1 ( GOTO CONTINUE ) ELSE ( GOTO LOOP2 ) :CONTINUE netsh advfirewall set currentprofile state on>nul 2>&1 SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read">NUL 2>&1 Exit ps: ms-settings:windowsupdate-action + ms-settings:windowsupdate "duplicates" = only way found to hide the w10 update settings display bug/glitch happening when entering windowsupdate-action.
After 1275906 tries, getting there... Code: @echo off %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && ( goto :OK ) || ( NSudo -U:T -P:E "%~dpnx0"&exit /b ) :OK SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1 netsh advfirewall set currentprofile state off >NUL 2>&1 set /a Old = 0 set /a New = 0 for /f "tokens=*" %%P IN ('dir "C:\Windows\Logs\WindowsUpdate" /A /b') do (set /a Old += 1) set Old >NUL 2>&1 explorer /root, ms-settings:windowsupdate UsoClient.exe StartInteractiveScan for /f "tokens=*" %%P IN ('dir "C:\Windows\Logs\WindowsUpdate" /A /b') do (set /a New += 1) set New >NUL 2>&1 goto COMPARE :COMPARE if %New% gtr %Old% goto CONTINUE goto KEEPWAITING :KEEPWAITING echo Windows Update still downloading, waiting to finish... goto COUNT :COUNT set /a New = 0 for /f "tokens=*" %%P IN ('dir "C:\Windows\Logs\WindowsUpdate" /A /b') do (set /a New += 1) set New >NUL 2>&1 goto COMPARE2 :COMPARE2 if %New% gtr %OLD% goto CONTINUE goto COUNT :CONTINUE echo Download finished, restoring Windows Firewall Control secure profile. netsh advfirewall set currentprofile state on >NUL 2>&1 SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read">NUL 2>&1 setlocal EnableDelayedExpansion for /f %%a in ('copy /Z "%~f0" nul') do set "CR=%%a" for /L %%n in (5 -1 1) do ( <nul set /P "=Done...Closing Windows Update in %%n seconds!CR!" ping -n 2 localhost > nul ) taskkill /F /IM SystemSettings.exe /T >NUL 2>&1 cmd/c Exit This works counting files in windows update log folder and comparing after update, however the major problem is that it seems the .etl log is not written everytime update has been checked, as I believed in the beginning... Another solution anyone? ps: "duplicates" sorted with UsoClient.exe StartInteractiveScan (using startscan switch doesn't write last scan date) Timer at the end (instead of timeout) is to avoid displaying the CTRL+C prompt (while still displaying a timer) update: Or filter with event id maybe?
Gave it another try today, learning slowly... First, a "clean one" that re-enable WFC secure profile when closing windows update window: Code: @echo off %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && ( goto :OK ) || ( NSudo -U:T -P:E "%~dpnx0"&exit /b ) :OK SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1 netsh advfirewall set currentprofile state off >NUL 2>&1 explorer /root, ms-settings:windowsupdate UsoClient.exe StartInteractiveScan @echo Close Windows Update window to re-enable Windows Firewall Control Secure Profile. :LOOP tasklist | find /i "SystemSettings.exe" >nul 2>&1 if errorlevel 1 ( goto END ) else ( goto LOOP ) :END netsh advfirewall set currentprofile state on >NUL 2>&1 SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" >NUL 2>&1 echo Done. timeout /T 1 /nobreak >NUL 2>&1 exit And a "fully automated" one that import a (previously saved) .xml scheduled task which kills windows update window triggered by System event id 19 ("An update was installed."), then stop task, delete task and re-enable WFC secure profile. Code: @echo off %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && ( goto :OK ) || ( NSudo -U:T -P:E "%~dpnx0"&exit /b ) :OK schtasks /Create /RU "SYSTEM" /TN "Re-Enable Windows Firewall Control Secure Profile" /XML "%~dp0Re-enable Windows Firewall Control Secure Profile.xml" >NUL 2>&1 SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1 netsh advfirewall set currentprofile state off >NUL 2>&1 explorer /root, ms-settings:windowsupdate UsoClient.exe StartInteractiveScan echo Close Windows Update window to re-enable Windows Firewall Control Secure Profile, or wait for update to be installed. :LOOP tasklist | find /i "SystemSettings.exe" >nul 2>&1 if errorlevel 1 ( goto END ) else ( goto LOOP ) :END schtasks /End /RU "SYSTEM" /TN "Re-enable Windows Firewall Control Secure Profile" >NUL 2>&1 schtasks /Delete /TN "Re-enable Windows Firewall Control Secure Profile" /f >NUL 2>&1 cls echo Re-enabling Windows Firewall Control Secure Profile... netsh advfirewall set currentprofile state on >NUL 2>&1 SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" >NUL 2>&1 TIMEOUT /T 2 /nobreak >NUL 2>&1 echo Done. TIMEOUT /T 1 /nobreak >NUL 2>&1 exit Re-enable Windows Firewall Control Secure Profile.xml Code: <?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2018-11-17T03:49:30.1989771</Date> <Author></Author> <Description>Re-Enable Windows Firewall Control Secure Profile</Description> <URI>\Re-Enable Windows Firewall Control Secure Profile</URI> </RegistrationInfo> <Triggers> <EventTrigger> <Enabled>true</Enabled> <Subscription><QueryList><Query Id="0" Path="System"><Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient'] and EventID=19]]</Select></Query></QueryList></Subscription> </EventTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT1M</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>taskkill</Command> <Arguments>/F /IM SystemSettings.exe /T</Arguments> </Exec> </Actions> </Task> What bugs me is that it involves 2 different files (.bat + .xml task). I'd love to find a way to make the Whole process with 1 file only...
New one without scheduled task...https://forums.mydigitallife.net/th...y-block-everything.64640/page-14#post-1492446