0x11DFE/unsafeDriversHvci.ps1

## unsafeDriversHvci.ps1
###
# - @T3SL4
# This script automates the HVCI scan and removal of unsafe drivers.
###

# Ensure the script runs with administrative privileges
if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Host "Running script as administrator..." -ForegroundColor Cyan
    Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
    exit
}

# Function to take ownership and grant permissions
function TakeOwnershipAndGrantPermission($path) {
    takeown.exe /F $path /A /R /D Y > $null 2>&1
    icacls.exe $path /grant:r 'Administrators:(F)' /T /C /Q > $null 2>&1
}

# Function to remove unsafe drivers
function RemoveUnsafeDrivers {
    $hvciscan_exe = ".\hvciscan_amd64.exe"
    $hvciscan_url = "https://download.microsoft.com/download/3/7/5/3754cbaa-4dff-469a-a9f0-ca501f3c0421/hvciscan_amd64.exe"

    if (-not (Test-Path $hvciscan_exe)) {
        Write-Host "File not found. Downloading $hvciscan_exe..." -ForegroundColor Yellow
        Invoke-WebRequest -Uri $hvciscan_url -OutFile $hvciscan_exe -UserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124."
    }

    Write-Host "Running hvciscan tool..." -ForegroundColor Yellow
    $hvciOutput = & $hvciscan_exe

    $driverFilePaths = $hvciOutput | Select-String -Pattern 'HVCI: "(.*?)" failed' | ForEach-Object {
        $_.Matches[0].Groups[1].Value
    }

    if ($driverFilePaths.Count -eq 0) {
        Write-Host "No drivers to remove." -ForegroundColor Red
        return
    }

    $driverFilePaths | ForEach-Object {
        $sysDirectory = Split-Path $_

        if (Test-Path $_) {
            if ($sysDirectory -like '*\Windows\System32\drivers\*') {
                TakeOwnershipAndGrantPermission $_
                Write-Host "Found! " -ForegroundColor Green -NoNewline
                Write-Host "Removing driver file $_..." -ForegroundColor Yellow
                Remove-Item -Path $_ -Force
            } else {
                $searchDirectory = $sysDirectory
                while ($null -eq (Get-ChildItem -Path $searchDirectory -Filter "*.inf" -Recurse | Select-Object -First 1) -and $searchDirectory -ne "C:\") {
                    $searchDirectory = Split-Path $searchDirectory
                }

                if ($searchDirectory -ne "C:\") {
                    TakeOwnershipAndGrantPermission $searchDirectory
                    Write-Host "Found! " -ForegroundColor Green -NoNewline
                    Write-Host "Removing driver directory $searchDirectory..." -ForegroundColor Yellow
                    Remove-Item -Path $searchDirectory -Recurse -Force
                }
            }
        }
    }
}

# Function to enable Core Isolation and Memory Integrity
function EnableCoreIsolationAndMemoryIntegrity {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 1
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HypervisorEnforcedCodeIntegrity" -Value 1
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "WasEnabledBy" -Value 2
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 1
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureSystemGuardLaunch" -Value 1
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureKernelShadowStacksLaunch" -Value 1
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HVCIMATRequired" -Value 1
}

# Function to disable Core Isolation and Memory Integrity
function DisableCoreIsolationAndMemoryIntegrity {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 0
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HypervisorEnforcedCodeIntegrity" -Value 0
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 0
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "WasEnabledBy" -Value 0
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 0
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureSystemGuardLaunch" -Value 0
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureKernelShadowStacksLaunch" -Value 0
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HVCIMATRequired" -Value 0
}

# Main script execution
$action_hvci = Read-Host "Scan and delete unsafe drivers? (y/n)"
if ($action_hvci -eq "y") {
    RemoveUnsafeDrivers
}

$action_isolation = Read-Host "Enable Windows Defender Core Isolation and Memory Integrity? (y/n)"
if ($action_isolation -eq "y") {
    EnableCoreIsolationAndMemoryIntegrity
} elseif ($action_isolation -eq "n") {
    $disable_isolation = Read-Host "Disable Windows Defender Core Isolation and Memory Integrity? (y/n)"
    if ($disable_isolation -eq "y") {
        DisableCoreIsolationAndMemoryIntegrity
    }
}

Write-Host "Script finished, please restart your computer." -ForegroundColor Cyan
pause
	###
	# - @T3SL4
	# This script automates the HVCI scan and removal of unsafe drivers.
	###

	# Ensure the script runs with administrative privileges
	if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Host "Running script as administrator..." -ForegroundColor Cyan
	Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs
	exit
	}

	# Function to take ownership and grant permissions
	function TakeOwnershipAndGrantPermission($path) {
	takeown.exe /F $path /A /R /D Y > $null 2>&1
	icacls.exe $path /grant:r 'Administrators:(F)' /T /C /Q > $null 2>&1
	}

	# Function to remove unsafe drivers
	function RemoveUnsafeDrivers {
	$hvciscan_exe = ".\hvciscan_amd64.exe"
	$hvciscan_url = "https://download.microsoft.com/download/3/7/5/3754cbaa-4dff-469a-a9f0-ca501f3c0421/hvciscan_amd64.exe"

	if (-not (Test-Path $hvciscan_exe)) {
	Write-Host "File not found. Downloading $hvciscan_exe..." -ForegroundColor Yellow
	Invoke-WebRequest -Uri $hvciscan_url -OutFile $hvciscan_exe -UserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124."
	}

	Write-Host "Running hvciscan tool..." -ForegroundColor Yellow
	$hvciOutput = & $hvciscan_exe

	$driverFilePaths = $hvciOutput \| Select-String -Pattern 'HVCI: "(.*?)" failed' \| ForEach-Object {
	$_.Matches[0].Groups[1].Value
	}

	if ($driverFilePaths.Count -eq 0) {
	Write-Host "No drivers to remove." -ForegroundColor Red
	return
	}

	$driverFilePaths \| ForEach-Object {
	$sysDirectory = Split-Path $_

	if (Test-Path $_) {
	if ($sysDirectory -like '\Windows\System32\drivers\') {
	TakeOwnershipAndGrantPermission $_
	Write-Host "Found! " -ForegroundColor Green -NoNewline
	Write-Host "Removing driver file $_..." -ForegroundColor Yellow
	Remove-Item -Path $_ -Force
	} else {
	$searchDirectory = $sysDirectory
	while ($null -eq (Get-ChildItem -Path $searchDirectory -Filter "*.inf" -Recurse \| Select-Object -First 1) -and $searchDirectory -ne "C:\") {
	$searchDirectory = Split-Path $searchDirectory
	}

	if ($searchDirectory -ne "C:\") {
	TakeOwnershipAndGrantPermission $searchDirectory
	Write-Host "Found! " -ForegroundColor Green -NoNewline
	Write-Host "Removing driver directory $searchDirectory..." -ForegroundColor Yellow
	Remove-Item -Path $searchDirectory -Recurse -Force
	}
	}
	}
	}
	}

	# Function to enable Core Isolation and Memory Integrity
	function EnableCoreIsolationAndMemoryIntegrity {
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 1
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 1
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HypervisorEnforcedCodeIntegrity" -Value 1
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "WasEnabledBy" -Value 2
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 1
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureSystemGuardLaunch" -Value 1
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureKernelShadowStacksLaunch" -Value 1
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HVCIMATRequired" -Value 1
	}

	# Function to disable Core Isolation and Memory Integrity
	function DisableCoreIsolationAndMemoryIntegrity {
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value 0
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HypervisorEnforcedCodeIntegrity" -Value 0
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 0
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "WasEnabledBy" -Value 0
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -Value 0
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureSystemGuardLaunch" -Value 0
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "ConfigureKernelShadowStacksLaunch" -Value 0
	Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 0
	Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "HVCIMATRequired" -Value 0
	}

	# Main script execution
	$action_hvci = Read-Host "Scan and delete unsafe drivers? (y/n)"
	if ($action_hvci -eq "y") {
	RemoveUnsafeDrivers
	}

	$action_isolation = Read-Host "Enable Windows Defender Core Isolation and Memory Integrity? (y/n)"
	if ($action_isolation -eq "y") {
	EnableCoreIsolationAndMemoryIntegrity
	} elseif ($action_isolation -eq "n") {
	$disable_isolation = Read-Host "Disable Windows Defender Core Isolation and Memory Integrity? (y/n)"
	if ($disable_isolation -eq "y") {
	DisableCoreIsolationAndMemoryIntegrity
	}
	}

	Write-Host "Script finished, please restart your computer." -ForegroundColor Cyan
	pause