[Help] Check for Windows Update with WFC (Secure Profile and Medium Filtering)

Discussion in 'Scripting' started by Thomas Dubreuil, Nov 9, 2018.

  1. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    110
    155
    10
    Hi guys, I need help for a small script again :D. getting ambitious hehe

    The script re-enable inheritence on key locked by WFC, allowing to disable firewall, then check for windows updates, then ask the user to re-set protection when he wants (secure profile+firewall ON).
    As usual, using Nsudo (and Abodi's technique to launch Nsudo)

    Code:
    @echo off
    cd %systemroot%\system32
    call :IsAdmin
    
    %windir%\system32\reg.exe query "HKU\S-1-5-19" 1>nul 2>nul || goto :eof
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    "Nsudo" -U:T -P:E "%~dpnx0"
    goto :eof
    )
    
    :OK
    @echo off
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl"
    netsh advfirewall set  currentprofile state off
    
    explorer /root, ms-settings:windowsupdate-action
    
    @echo Click on any key to re-enable secure profile now.
    @pause>nul
    netsh advfirewall set  currentprofile state on
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read"
    cmd/c
    Exit
    
    :IsAdmin
    Reg.exe query "HKU\S-1-5-19\Environment"
    If Not %ERRORLEVEL% EQU 0 (
     Cls & echo You must have administrator rights to continue.
           echo Press any key to exit...
    pause >nul
    )
    Cls
    goto:eof
    Most difficult was to find the set-acl mecanisms after finding WFC lock method, and I was doing everything in PS when I discovered set acl is also a cmdline tool...:) no more powershell -command" in script, no more p:full expression missing/not exist error, and script is way faster.

    Last thing I'd like now, is to hide the first commands...the one after : OK are visible.
    Processing ACL of: ...
    SetACL finished successfully...
    OK

    Even tried to add another @echo off in front but that didn't work...

    I'd would like to see only the "Click on any key to re-enable..." when running the script.
    and show "success" before closing window, if possible.

    Ps: Another example of how 1809 is not quite finished, when you update this way (ms-settings:windowsupdate-action) the rectangle outline of the Home in "Windows Update" is highlighted in black...it really looks like a GUI glitch.
     
  2. mxman2k

    mxman2k MDL Developer

    Jun 20, 2007
    2,496
    5,306
    90
    To hide a line from showing any text on screen within a script just use >NUL 2>&1 on the end. :)

    But if any errors occur you won't see any!

    You could just use >NUL but sometimes it will still show, using the 2>&1 as well prevents anything shown.

    For example in your script:
    Code:
    
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    
    and
    
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" >NUL 2>&1
    
    
    That just sends any output to nothing for that line, if you wanted to send it to a log file use >>"logname.log" that too won't show anything on the screen as it is being redirected to the 'log' file instead.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    110
    155
    10
    #3 Thomas Dubreuil, Nov 9, 2018
    Last edited: Nov 11, 2018
    (OP)
    Thanks for the tip, I guessed about the >nul in between (having copied it for the @ pause>nul command) but glad to know about the 2>&1 ,thanks :worthy:
    Here's the new script:
    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    NSudo -U:T -P:E "%~dpnx0"&exit /b
    )
    
    :OK
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl">NUL 2>&1
    netsh advfirewall set  currentprofile state off>NUL 2>&1
    
    explorer /root, ms-settings:windowsupdate-action
    
    @echo Click on any key to re-enable Windows Firewall Control Secure Profile.
    @pause>nul
    
    netsh advfirewall set  currentprofile state on
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read">NUL 2>&1
    
    Timeout /T 1 /nobreak>NUL 2>&1
    cmd/c
    Exit
    
    I left 1 line without the NUL value, just for the OK. message at the end :D and added a 1s Timeout to make the OK confirmation visible...

    Was a pain to right click WFC select profile:no filtering, click windows update, check for updates, right click WFC, select profile: medium filtering.
     
  4. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    110
    155
    10
    #4 Thomas Dubreuil, Nov 11, 2018
    Last edited: Nov 11, 2018
    (OP)
    Have a question...is it possible instead of pause and finish manually to make it wait until update is downloaded, then apply the end of script (re-enable secure profile and close). And maybe, close windows update window while I'm at it...
    mxman2k abbodi1406 ?

    ok, I could add
    taskkill /F /IM SystemSettings.exe /T>NUL 2>&1
    But after how to make the script "aware" when update download is complete?

    ok I made progress, better behavior: I only have to close windows update window now, but still not what I'd like.
    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    NSudo -U:T -P:E "%~dpnx0"&exit /b
    )
    
    :OK
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl">NUL 2>&1
    netsh advfirewall set  currentprofile state off>NUL 2>&1
    
    explorer /root, ms-settings:windowsupdate-action
    explorer /root, ms-settings:windowsupdate
    
    :LOOP
    tasklist | find /i "SystemSettings.exe">nul 2>&1
    IF ERRORLEVEL 1 (
      GOTO CONTINUE
    ) ELSE (
      ECHO Windows Update still downloading...
      Timeout /T 3 /Nobreak>NUL 2>&1
      GOTO LOOP2
    )
    
    :LOOP2
    tasklist | find /i "SystemSettings.exe">nul 2>&1
    IF ERRORLEVEL 1 (
      GOTO CONTINUE
    ) ELSE (
      GOTO LOOP2
    )
    
    :CONTINUE
    netsh advfirewall set  currentprofile state on>nul 2>&1
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read">NUL 2>&1
    Exit
    ps: ms-settings:windowsupdate-action + ms-settings:windowsupdate "duplicates" = only way found to hide the w10 update settings display bug/glitch happening when entering windowsupdate-action.
     
  5. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    110
    155
    10
    #5 Thomas Dubreuil, Nov 11, 2018
    Last edited: Nov 17, 2018
    (OP)
    After 1275906 tries, getting there...

    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    NSudo -U:T -P:E "%~dpnx0"&exit /b
    )
    
    :OK
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    netsh advfirewall set  currentprofile state off >NUL 2>&1
    
    set /a Old = 0
    set /a New = 0
    for /f "tokens=*" %%P IN ('dir "C:\Windows\Logs\WindowsUpdate" /A /b') do (set /a Old += 1)
    set Old >NUL 2>&1
    
    explorer /root, ms-settings:windowsupdate
    UsoClient.exe StartInteractiveScan
    
    for /f "tokens=*" %%P IN ('dir "C:\Windows\Logs\WindowsUpdate" /A /b') do (set /a New += 1)
    set New >NUL 2>&1
    goto COMPARE
     
    :COMPARE
    if %New% gtr %Old% goto CONTINUE
    goto KEEPWAITING
    
    :KEEPWAITING
    echo Windows Update still downloading, waiting to finish...
    goto COUNT
    
    :COUNT
    set /a New = 0
    for /f "tokens=*" %%P IN ('dir "C:\Windows\Logs\WindowsUpdate" /A /b') do (set /a New += 1)
    set New >NUL 2>&1
    goto COMPARE2
    
    :COMPARE2
    if %New% gtr %OLD% goto CONTINUE
    goto COUNT
    
    :CONTINUE
    echo Download finished, restoring Windows Firewall Control secure profile.
    netsh advfirewall set  currentprofile state on >NUL 2>&1
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read">NUL 2>&1
    
    setlocal EnableDelayedExpansion
    for /f %%a in ('copy /Z "%~f0" nul') do set "CR=%%a"
    for /L %%n in (5 -1 1) do (
      <nul set /P "=Done...Closing Windows Update in %%n seconds!CR!"
      ping -n 2 localhost > nul
    )
    
    taskkill /F /IM SystemSettings.exe /T >NUL 2>&1
    cmd/c
    Exit
    This works counting files in windows update log folder and comparing after update, however the major problem is that it seems the .etl log is not written everytime update has been checked, as I believed in the beginning...
    Another solution anyone?

    ps: "duplicates" sorted with UsoClient.exe StartInteractiveScan (using startscan switch doesn't write last scan date)
    Timer at the end (instead of timeout) is to avoid displaying the CTRL+C prompt (while still displaying a timer)

    update: Or filter with event id maybe?
     
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Member

    Aug 29, 2017
    110
    155
    10
    #6 Thomas Dubreuil, Nov 17, 2018
    Last edited: Nov 21, 2018
    (OP)
    Gave it another try today, learning slowly...
    First, a "clean one" that re-enable WFC secure profile when closing windows update window:
    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    NSudo -U:T -P:E "%~dpnx0"&exit /b
    )
    
    :OK
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    netsh advfirewall set  currentprofile state off >NUL 2>&1
    
    explorer /root, ms-settings:windowsupdate
    UsoClient.exe StartInteractiveScan
    
    @echo Close Windows Update window to re-enable Windows Firewall Control Secure Profile.
    
    :LOOP
    tasklist | find /i "SystemSettings.exe" >nul 2>&1
    if errorlevel 1 (
      goto END
    ) else (
      goto LOOP
    )
    
    :END
    netsh advfirewall set  currentprofile state on >NUL 2>&1
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" >NUL 2>&1
    
    echo Done.
    timeout /T 1 /nobreak >NUL 2>&1
    exit
    And a "fully automated" one that import a (previously saved) .xml scheduled task which kills windows update window triggered by System event id 19 ("An update was installed."), then stop task, delete task and re-enable WFC secure profile.

    Code:
    @echo off
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    NSudo -U:T -P:E "%~dpnx0"&exit /b
    )
    
    :OK
    schtasks /Create /RU "SYSTEM" /TN "Re-Enable Windows Firewall Control Secure Profile" /XML "%~dp0Re-enable Windows Firewall Control Secure Profile.xml" >NUL 2>&1
    
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    netsh advfirewall set  currentprofile state off >NUL 2>&1
    
    explorer /root, ms-settings:windowsupdate
    UsoClient.exe StartInteractiveScan
    
    echo Close Windows Update window to re-enable Windows Firewall Control Secure Profile, or wait for update to be installed.
    
    :LOOP
    tasklist | find /i "SystemSettings.exe" >nul 2>&1
    if errorlevel 1 (
      goto END
    ) else (
      goto LOOP
    )
    
    :END
    schtasks /End /RU "SYSTEM" /TN "Re-enable Windows Firewall Control Secure Profile" >NUL 2>&1
    schtasks /Delete /TN "Re-enable Windows Firewall Control Secure Profile" /f >NUL 2>&1
    
    cls
    echo Re-enabling Windows Firewall Control Secure Profile...
    
    netsh advfirewall set  currentprofile state on >NUL 2>&1
    SetACL -on "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn ace -ace "n:SYSTEM;p:full" -ace "n:NT SERVICE\mpssvc;p:read" >NUL 2>&1
    
    TIMEOUT /T 2 /nobreak >NUL 2>&1
    echo Done.
    TIMEOUT /T 1 /nobreak >NUL 2>&1
    exit
    Re-enable Windows Firewall Control Secure Profile.xml
    Code:
    <?xml version="1.0" encoding="UTF-16"?>
    <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
      <RegistrationInfo>
        <Date>2018-11-17T03:49:30.1989771</Date>
        <Author></Author>
        <Description>Re-Enable Windows Firewall Control Secure Profile</Description>
        <URI>\Re-Enable Windows Firewall Control Secure Profile</URI>
      </RegistrationInfo>
      <Triggers>
        <EventTrigger>
          <Enabled>true</Enabled>
          <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="System"&gt;&lt;Select Path="System"&gt;*[System[Provider[@Name='Microsoft-Windows-WindowsUpdateClient'] and EventID=19]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
        </EventTrigger>
      </Triggers>
      <Principals>
        <Principal id="Author">
          <UserId>S-1-5-18</UserId>
          <RunLevel>HighestAvailable</RunLevel>
        </Principal>
      </Principals>
      <Settings>
        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
        <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
        <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
        <AllowHardTerminate>true</AllowHardTerminate>
        <StartWhenAvailable>false</StartWhenAvailable>
        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
        <IdleSettings>
          <StopOnIdleEnd>false</StopOnIdleEnd>
          <RestartOnIdle>false</RestartOnIdle>
        </IdleSettings>
        <AllowStartOnDemand>false</AllowStartOnDemand>
        <Enabled>true</Enabled>
        <Hidden>false</Hidden>
        <RunOnlyIfIdle>false</RunOnlyIfIdle>
        <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
        <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
        <WakeToRun>false</WakeToRun>
        <ExecutionTimeLimit>PT1M</ExecutionTimeLimit>
        <Priority>7</Priority>
      </Settings>
      <Actions Context="Author">
        <Exec>
          <Command>taskkill</Command>
          <Arguments>/F /IM SystemSettings.exe /T</Arguments>
        </Exec>
      </Actions>
    </Task>
    
    What bugs me is that it involves 2 different files (.bat + .xml task). I'd love to find a way to make the Whole process with 1 file only...