TESTED ON > Windows 10 Builds 22h2 / LTSC 2021 / Windows 11 Builds 24h2 / LTSC 2024 And Server 2019 and Windows 11 Enterprise 25h2 Evaluations builds
Then why not post the powershell scripts? Some may think you have used something like ps2exe to obfuscate the underlying code.
Code: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wlms.exe] "Debugger"="Blocked" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] "1"="wlms.exe" "2"="LicensingUi.exe" "3"="OLicenseHeartbeat.exe" "4"="CompatTelRunner.exe" "5"="DeviceCensus.exe" "6"="wsqmcons.exe" "7"="aggregatorhost.exe" "8"="DiagTrackRunner.exe" "9"="smartscreen.exe" "10"="dtdump.exe" "11"="aitstatic.exe" "12"="utcdecoderhost.exe" "13"="DesktopSpotlightProduct.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LicensingUi.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLicenseHeartbeat.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aggregatorhost.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DiagTrackRunner.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dtdump.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aitstatic.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utcdecoderhost.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DesktopSpotlightProduct.exe] "Debugger"="Blocked" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform] "NoGenTicket"=dword:00000001
@wuliyen Miising entry in your post... Code: ; Disable Program Compatibility Assistant Service (pcasvc) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcaSvc] "Start"=dword:00000004 ; Disable Connected User Experiences and Telemetry (DiagTrack) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack] "Start"=dword:00000004 ; Disable Windows Insider Service (wisvc) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wisvc] "Start"=dword:00000004 ; Disable windows error reporting [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wersvc] "Start"=dword:00000004 "Start"=dword:00000004 ; Set AllowTelemetry to 0 (Security/Off) [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection] "AllowTelemetry"=dword:00000000
should be Code: ; Disable windows error reporting [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wersvc] "Start"=dword:00000004
@pm67310 Thank you for this. I have a suggestion, instead of hard blocking the execution at the kernel level, it would be better to redirect the calls to a sinkhole that always responds with error 5 ACCESS_DENIED which terminates the function gracefully without hard errors and prevents the execution retrials indefinitely. This way no weird behavior, no logs polluting, no untraceable errors months later. Most of the Windows binaries are equipped to handle error 5.
An observation..... This Key, [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection] as I understand it, is to do with Windows Analytics and nothing in there can be Disabled... Only Limited (similar to cookies on a website, allow essential or all) for example your Set "AllowTelemetry" 'value' to 0 (Security/Off), serves no real purpose... unless the "LimitEnhancedDiagnosticDataWindowsAnalytics" 'value' (under the same key) is set to 1 (1 is needed when setting Security or Basic, otherwise crap still gets sent) there are 8 values (under that key, on my system at least) the first 2 (including Allow Telemetry) are set to '0', the other 6 are set to '1' Windows now, is seriously messy... yet still fun Like the engineer (in all of us) says "If it ain't broke... BREAK IT, then FIX IT" You won't be half as entertained, using a Mac or Linux system... ROFL