Mark Burnett m8urnett

## EnableAMSILogging.ps1
$AutoLoggerName = 'MyAMSILogger'
$AutoLoggerGuid = "{$((New-Guid).Guid)}"

New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41

## @ batch scripts for power users.md

      
              14 files
            
          
              8 forks
            
          
              2 comments
            
          
              63 stars
            
          
                AveYo
                / @ batch scripts for power users.md
            
            
              Last active
              May 18, 2024 02:01
            
              
                Windows batch scripts for power users 
              
          
    windows_update_toggle.bat v10.1 final

~ one script to rule them all!

~ block build upgrades and/or automatic updates without breawking Store downloads and Defender protection updates

~ there is a lot of focus on Defender updates working independently, unlike any other updates "management" solution

~ ifeo safe blocking with no destructive changes of ownership, deleting files, removing tasks, or over-blocking

~ toggle everything from the Desktop right-click context menu!

but wait, there is more:

~ hide/unhide/install update lists with counter at the Desktop right-click context menu!
Previous update toggle batch suite scripts have been overwritten on pastebin, but will still be available here:

  
## Get-ClrReflection.ps1
function Get-ClrReflection
{
    <#
    .SYNOPSIS

    Detects memory-only CLR (.NET) modules

    Author: Joe Desimone (@dez_)
    License: BSD 3-Clause


## BaseEnforcementPolicy.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>
    <Rule>

## enable_win_guard.ps1
# Enable Required Windows Features
Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName:Microsoft-Hyper-V-Hypervisor -All
Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName: Microsoft-Hyper-V-Tools-All, Microsoft-Hyper-V-Services
Get-WindowsOptionalFeature -Online -FeatureName "IsolatedUserMode" | Enable-WindowsOptionalFeature -Online -NoRestart

# Enable DeviceGuard Security Flags
#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType "DWORD" -Value 1 -Force

# Info Source: https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security#use-registry-keys-to-enable-vbs-and-device-guard

## ExcelXLL.md

      
              1 file
            
          
              60 forks
            
          
              3 comments
            
          
              110 stars
            
          
                ryhanson
                / ExcelXLL.md
            
            
              Last active
              March 29, 2024 05:27
            
              
                Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
              
          
    DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

  
## squid-with-data-compression.md

      
              2 files
            
          
              1 fork
            
          
              2 comments
            
          
              4 stars
            
          
                mayli
                / squid-with-data-compression.md
            
            
              Created
              November 13, 2016 05:29
            
              
                Using squid and data compression proxy to reduce traffic for cat pictures
              
          
    Squid

Squid is a HTTP(S) caching proxy to reduce bandwidth and improves response times.
data compression proxy

Data compression proxy is a http proxy by google aimming to reduce cellular data usage by gzip and webp (Yes, it will compress jpg, png and gif to webp).
Squid + data compression proxy


## make_windows10_great_again.bat
@echo off
setlocal EnableDelayedExpansion

ver | find "10." > nul
if errorlevel 1 (
	echo Your Windows version is not Windows 10... yet. Brace yourself, Windows 10 is coming^^!
	pause
	exit
)

## Imaging-Win10.ps1
#requires -version 4.0
#requires -modules Storage,DISM
#Requires -RunAsAdministrator
<#
	.NOTES
	===========================================================================
	 Created with: 	SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.2.117
	 Created on:   	3/16/2016 10:05
	 Created by:   	Colin Squier <hexalon@gmail.com>
	 Filename:     	Imaging-Win10.ps1

## dg.ps1
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d  = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs
$s2.Delete()
Remove-Item -Path C:\scpy -Force
Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml
ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin
Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force
	$AutoLoggerName = 'MyAMSILogger'
	$AutoLoggerGuid = "{$((New-Guid).Guid)}"

	New-AutologgerConfig -Name $AutoLoggerName -Guid $AutoLoggerGuid -Start Enabled
	Add-EtwTraceProvider -AutologgerName $AutoLoggerName -Guid '{2A576B87-09A7-520E-C21A-4942F0271D67}' -Level 0xff -MatchAnyKeyword ([UInt64] (0x8000000000000001 -band ([UInt64]::MaxValue))) -Property 0x41
	function Get-ClrReflection
	{
	<#
	.SYNOPSIS

	Detects memory-only CLR (.NET) modules

	Author: Joe Desimone (@dez_)
	License: BSD 3-Clause
	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	<Rule>
	# Enable Required Windows Features
	Enable-WindowsOptionalFeature -Online -NoRestart -FeatureName:Microsoft-Hyper-V-Hypervisor -All
	Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName: Microsoft-Hyper-V-Tools-All, Microsoft-Hyper-V-Services
	Get-WindowsOptionalFeature -Online -FeatureName "IsolatedUserMode" \| Enable-WindowsOptionalFeature -Online -NoRestart

	# Enable DeviceGuard Security Flags
	#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
	New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType "DWORD" -Value 1 -Force

	# Info Source: https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security#use-registry-keys-to-enable-vbs-and-device-guard
	@echo off
	setlocal EnableDelayedExpansion

	ver \| find "10." > nul
	if errorlevel 1 (
	echo Your Windows version is not Windows 10... yet. Brace yourself, Windows 10 is coming^^!
	pause
	exit
	)
	#requires -version 4.0
	#requires -modules Storage,DISM
	#Requires -RunAsAdministrator
	<#
	.NOTES
	===========================================================================
	Created with: SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.2.117
	Created on: 3/16/2016 10:05
	Created by: Colin Squier <hexalon@gmail.com>
	Filename: Imaging-Win10.ps1
	$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
	$s2 = gwmi Win32_ShadowCopy \| ? { $_.ID -eq $s1.ShadowID }
	$d = $s2.DeviceObject + "\"
	cmd /c mklink /d C:\scpy "$d"
	New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs
	$s2.Delete()
	Remove-Item -Path C:\scpy -Force
	Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml
	ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin
	Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force