Implement W4H4WK Debloat Scripts

simeononsecurity · Aug 5, 2020 · 5549930 · 5549930
1 parent f14c5c9
commit 5549930
Show file tree

Hide file tree

Showing 30 changed files with 1,483 additions and 16 deletions.
diff --git a/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/.gitattributes b/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/.gitattributes
@@ -0,0 +1,5 @@
+* text=auto
+*.bat  text eol=crlf
+*.ps1  text eol=crlf
+*.psm1 text eol=crlf
+*.reg  text eol=crlf
diff --git a/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/LICENSE b/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/LICENSE
@@ -0,0 +1,9 @@
+"THE BEER-WARE LICENSE" (Revision 42):
+
+As long as you retain this notice you can do whatever you want with this
+stuff. If we meet some day, and you think this stuff is worth it, you can
+buy us a beer in return.
+
+This project is distributed in the hope that it will be useful, but WITHOUT
+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/README.md b/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/README.md
@@ -0,0 +1,148 @@
+# Debloat Windows 10
+
+**Windows 10 2004 Update:**
+The default configuration of the scripts break the System Settings app.
+See [issue 254](https://github.com/W4RH4WK/Debloat-Windows-10/issues/254) for more information.
+
+This project collects PowerShell scripts which help to *debloat* Windows 10,
+tweak common settings and install basic software components.
+
+I test these scripts on a Windows 10 Professional 64-Bit (English) virtual
+machine. Please let me know if you encounter any issues. Home Edition and
+different languages are not supported. These scripts are intended for
+tech-savvy administrators, who know what they are doing and just want to
+automate this phase of their setup. If this profile does not fit you, I
+recommend using a different (more interactive) tool -- and there are a lot of
+them out there.
+
+Also note that gaming related apps and services will be removed / disabled. If
+you intend to use your system for gaming, adjust the scripts accordingly.
+
+**There is no undo**, I recommend only using these scripts on a fresh
+installation (including Windows Updates). Test everything after running them
+before doing anything else. Also there is no guarantee that everything will
+work after future updates since I cannot predict what Microsoft will do next.
+
+## Interactivity
+
+The scripts are designed to run without any user-interaction. Modify them
+beforehand. If you want a more interactive approach check out
+[DisableWinTracking](https://github.com/10se1ucgo/DisableWinTracking) from
+[10se1ucgo](https://github.com/10se1ucgo).
+
+## Download Latest Version
+
+Code located in the `master` branch is always considered under development, but
+you'll probably want the most recent version anyway.
+
+- [Download [zip]](https://github.com/W4RH4WK/Debloat-Windows-10/archive/master.zip)
+
+## Execution
+
+Enable execution of PowerShell scripts:
+
+    PS> Set-ExecutionPolicy Unrestricted -Scope CurrentUser
+
+Unblock PowerShell scripts and modules within this directory:
+
+    PS> ls -Recurse *.ps*1 | Unblock-File
+
+## Usage
+
+Scripts can be run individually, pick what you need.
+
+1. Install all available updates for your system.
+2. Edit the scripts to fit your need.
+3. Run the scripts you want to apply from a PowerShell with administrator privileges (Explorer
+   `Files > Open Windows PowerShell > Open Windows PowerShell as
+   administrator`)
+4. `PS > Restart-Computer`
+5. Run `disable-windows-defender.ps1` one more time if you ran it in step 3
+6. `PS > Restart-Computer`
+
+## Start menu
+
+In the past I included small fixes to make the start menu more usable, like
+removing default tiles, disabling web search and so on. This is no longer the
+case since I am that fed up with it. This fucking menu breaks for apparently
+no reason, is slow, is a pain to configure / script and even shows ads out of
+the box!
+
+Please replace it with something better, either use [Open Shell] or [Start
+is Back], but stop using that shit.
+
+[Open Shell]: <https://open-shell.github.io/Open-Shell-Menu/>
+[Start is Back]: <http://startisback.com/>
+
+## Known Issues
+
+### Start menu Search
+
+After running the scripts, the start menu search-box may no longer work on newly
+created accounts. It seems like there is an issue with account initialization
+that is triggered when disabling the GeoLocation service. Following workaround
+has been discovered by BK from Atlanta:
+
+1. Delete registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc\TriggerInfo\3`
+2. Re-enable GeoLocation service (set startup type to `Automatic`)
+3. Reboot
+4. Login with the account having the stated issue
+5. Start Cortana and set your preferences accordingly (web search and whatnot)
+
+You may now disable the GeoLocation service again, the search box should remain
+functional.
+
+### Sysprep will hang
+
+If you are deploying images with MDT and running these scripts, the sysprep
+step will hang unless `dmwappushserivce` is active.
+
+### Xbox Wireless Adapter
+
+Apprently running the stock `remove-default-apps` script will cause Xbox
+Wireless Adapters to stop functioning. I suspect one should not remove the Xbox
+App when wanting to use one. But I haven't confirmed this yet, and there is a
+workaround to re-enable it afterwards. See
+[#78](https://github.com/W4RH4WK/Debloat-Windows-10/issues/78).
+
+### Issues with Skype
+
+Some of the domains blocked by adding them to the hosts-file are required for
+Skype. I highly discourage using Skype, however some people may not have
+the option to use an alternative. See the
+[#79](https://github.com/W4RH4WK/Debloat-Windows-10/issues/79).
+
+### Fingerprint Reader / Facial Detection not Working
+
+Ensure *Windows Biometric Service* is running. See
+[#189](https://github.com/W4RH4WK/Debloat-Windows-10/issues/189).
+
+## Liability
+
+**All scripts are provided as is and you use them at your own risk.**
+
+## Contribute
+
+I would be happy to extend the collection of scripts. Just open an issue or
+send me a pull request.
+
+### Thanks To
+
+- [10se1ucgo](https://github.com/10se1ucgo)
+- [Plumebit](https://github.com/Plumebit)
+- [aramboi](https://github.com/aramboi)
+- [maci0](https://github.com/maci0)
+- [narutards](https://github.com/narutards)
+- [tumpio](https://github.com/tumpio)
+
+## License
+
+    "THE BEER-WARE LICENSE" (Revision 42):
+
+    As long as you retain this notice you can do whatever you want with this
+    stuff. If we meet some day, and you think this stuff is worth it, you can
+    buy us a beer in return.
+
+    This project is distributed in the hope that it will be useful, but WITHOUT
+    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+    FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/lib/force-mkdir.psm1 b/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/lib/force-mkdir.psm1
@@ -0,0 +1,11 @@
+# Thanks to raydric, this function should be used instead of `mkdir -force`.
+#
+# While `mkdir -force` works fine when dealing with regular folders, it behaves
+# strange when using it at registry level. If the target registry key is
+# already present, all values within that key are purged.
+function force-mkdir($path) {
+    if (!(Test-Path $path)) {
+        #Write-Host "-- Creating full path to: " $path -ForegroundColor White -BackgroundColor DarkGreen
+        New-Item -ItemType Directory -Force -Path $path
+    }
+}
diff --git a/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/lib/take-own.psm1 b/Files/Scripts/Debloating, Optimization, and Privacy/W4H4WK/lib/take-own.psm1
@@ -0,0 +1,106 @@
+function Takeown-Registry($key) {
+    # TODO does not work for all root keys yet
+    switch ($key.split('\')[0]) {
+        "HKEY_CLASSES_ROOT" {
+            $reg = [Microsoft.Win32.Registry]::ClassesRoot
+            $key = $key.substring(18)
+        }
+        "HKEY_CURRENT_USER" {
+            $reg = [Microsoft.Win32.Registry]::CurrentUser
+            $key = $key.substring(18)
+        }
+        "HKEY_LOCAL_MACHINE" {
+            $reg = [Microsoft.Win32.Registry]::LocalMachine
+            $key = $key.substring(19)
+        }
+    }
+
+    # get administraor group
+    $admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+    $admins = $admins.Translate([System.Security.Principal.NTAccount])
+
+    # set owner
+    $key = $reg.OpenSubKey($key, "ReadWriteSubTree", "TakeOwnership")
+    $acl = $key.GetAccessControl()
+    $acl.SetOwner($admins)
+    $key.SetAccessControl($acl)
+
+    # set FullControl
+    $acl = $key.GetAccessControl()
+    $rule = New-Object System.Security.AccessControl.RegistryAccessRule($admins, "FullControl", "Allow")
+    $acl.SetAccessRule($rule)
+    $key.SetAccessControl($acl)
+}
+
+function Takeown-File($path) {
+    takeown.exe /A /F $path
+    $acl = Get-Acl $path
+
+    # get administraor group
+    $admins = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+    $admins = $admins.Translate([System.Security.Principal.NTAccount])
+
+    # add NT Authority\SYSTEM
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($admins, "FullControl", "None", "None", "Allow")
+    $acl.AddAccessRule($rule)
+
+    Set-Acl -Path $path -AclObject $acl
+}
+
+function Takeown-Folder($path) {
+    Takeown-File $path
+    foreach ($item in Get-ChildItem $path) {
+        if (Test-Path $item -PathType Container) {
+            Takeown-Folder $item.FullName
+        } else {
+            Takeown-File $item.FullName
+        }
+    }
+}
+
+function Elevate-Privileges {
+    param($Privilege)
+    $Definition = @"
+    using System;
+    using System.Runtime.InteropServices;
+
+    public class AdjPriv {
+        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
+            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
+
+        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
+            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
+
+        [StructLayout(LayoutKind.Sequential, Pack = 1)]
+            internal struct TokPriv1Luid {
+                public int Count;
+                public long Luid;
+                public int Attr;
+            }
+
+        internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
+        internal const int TOKEN_QUERY = 0x00000008;
+        internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
+
+        public static bool EnablePrivilege(long processHandle, string privilege) {
+            bool retVal;
+            TokPriv1Luid tp;
+            IntPtr hproc = new IntPtr(processHandle);
+            IntPtr htok = IntPtr.Zero;
+            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
+            tp.Count = 1;
+            tp.Luid = 0;
+            tp.Attr = SE_PRIVILEGE_ENABLED;
+            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
+            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
+            return retVal;
+        }
+    }
+"@
+    $ProcessHandle = (Get-Process -id $pid).Handle
+    $type = Add-Type $definition -PassThru
+    $type[0]::EnablePrivilege($processHandle, $Privilege)
+}