wdormann wdormann
wdormann
/ disable_ddeauto.reg
Last active
June 6, 2023 09:07
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 |
wdormann
/ gist:c11750585c5c0eda2b09438ca30271ab
Created
October 20, 2017 13:10
Win10 BSOD after importing EMET profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Microsoft (R) Windows Debugger Version 10.0.17016.1000 AMD64 | |
| Copyright (c) Microsoft Corporation. All rights reserved. | |
| Loading Dump File [C:\Users\test\Documents\MEMORY.DMP] | |
| Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. | |
| Symbol search path is: srv* | |
| Executable search path is: |
wdormann
/ EG_popular.xml
Created
October 20, 2017 13:29
EG profile converted from EMET, which causes Win10 BSOD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <MitigationPolicy> | |
| <SystemConfig> | |
| <DEP Enable="true" EmulateAtlThunks="false" /> | |
| <ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="false" /> | |
| <StrictHandle Enable="false" /> | |
| <SystemCalls DisableWin32kSystemCalls="false" Audit="false" /> | |
| <ExtensionPoints DisableExtensionPoints="false" /> | |
| <DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" Audit="false" /> | |
| <ControlFlowGuard Enable="false" SuppressExports="false" StrictControlFlowGuard="false" /> |
wdormann
/ enable_bottom-up_ASLR.reg
Created
November 16, 2017 17:52
Enable both Mandatory ASLR *and* Bottom-up ASLR system-wide
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] | |
| "MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00 | |
wdormann
/ win10_applocker_no_foistware.xml
Created
December 31, 2017 22:48
Prevent automatic installation of foistware on Windows 10 versions using AppLocker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <AppLockerPolicy Version="1"> | |
| <RuleCollection Type="Appx" EnforcementMode="Enabled"> | |
| <FilePublisherRule Id="a1baec9b-3250-44fe-865d-41c9397dcfcd" Name="Microsoft.Windows.ContentDeliveryManager, from Microsoft Corporation" Description="Block foistware?" UserOrGroupSid="S-1-1-0" Action="Deny"> | |
| <Conditions> | |
| <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*"> | |
| <BinaryVersionRange LowSection="*" HighSection="*" /> | |
| </FilePublisherCondition> | |
| </Conditions> | |
| </FilePublisherRule> | |
| </RuleCollection> |
wdormann
/ disable_win10_foistware.reg
Created
January 2, 2018 23:15
Attempt at disabling Windows 10 automatic installation of 3rd-party foistware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy] | |
| "Disabled"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager] | |
| "SubscribedContent-338388Enabled"=dword:00000000 | |
wdormann
/ acltest.ps1
Created
May 1, 2018 15:20
Check for paths that are writable by normal users, but are in the system-wide Windows path. Any such directory allows for privilege escalation.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
wdormann
/ flash_killbit.reg
Last active
June 1, 2021 15:03
Disable Flash ActiveX in all Windows versions (including 10)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MicrosoftEdge\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 | |
| [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] | |
| "Compatibility Flags"=dword:00000400 |
wdormann
/ checkaslrfiles.py
Last active
September 19, 2022 23:40
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE, | |
| but do not have a relocation table to allow ASLR to function. | |
| usage: checkaslrfiles.py <dir> | |
| ex: checkaslr.py "C:\Program Files\" | |
| requires: pefile <https://github.com/erocarrera/pefile>, which should be | |
| installable via: pip install pefile | |
| ''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| import ctypes | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG'] | |
| FNULL = open(os.devnull, 'w') |
OlderNewer