diff --git a/post/optimize.bat b/post/optimize.bat index 622f317..42f3547 100755 --- a/post/optimize.bat +++ b/post/optimize.bat @@ -47,17 +47,17 @@ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebCon echo Disabling Windows Defender... reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f || ( - rem Fails due to Tamper Protection which is enabled by default on the latest versions of Windows 10 to stop malware from automatically disabling Windows Defender in order to bypass it - rem To bypass Tamper Protection and disable Windows Defender anyway we remove all permissions from the WinDefend service registry key by disabling permission inheritance - rem Tamper Protection disallows the deleting of the below registry key but is fine with us changing the permissions on it - rem This simple method causes Windows Defender to fail to start on the next boot + rem Fails due to Tamper Protection which is enabled by default on newer versions of Windows 10 to stop malware from programmatically disabling Windows Defender + rem To bypass Tamper Protection and disable Windows Defender anyway, we remove all permissions from the WinDefend service registry key by disabling permission inheritance + rem Tamper Protection disallows deletion of the below registry key but is fine with us changing the permissions on it + rem This simple method causes starting Windows Defender to fail on the next boot rem The ownership change is not necessary, it's just so a user can easily re-enable Windows Defender without getting SYSTEM privileges rem This change is not detected by sfc /scannow, however, may be reset by a Windows update rem To re-enable Windows Defender, open the advanced permission settings on the registry key below and click "Enable Inheritance" then change the owner to "SYSTEM" rem The Microsoft Security Response Center (MSRC) does not consider this to be a security vulnerability because it requires administrator privileges and "a malicious administrator can do much worse things" - rem I expected this, but, reported it anyway just to be sure - rem Additionally, it's perfectly reasonable for an enterprise administrator to want to disable Windows Defender across all their Windows machines automatically + rem I expected this, but reported it anyway just to be sure + rem Additionally, it's perfectly reasonable for an enterprise administrator to want to disable Windows Defender across all their Windows machines programmatically powershell -Command "$path = 'HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend'; $acl = Get-Acl -Path $path; $acl.SetOwner((New-Object System.Security.Principal.NTAccount('Builtin', 'Administrators'))); $acl.SetAccessRuleProtection($true, $false); Set-Acl -Path $path -AclObject $acl" ) @@ -85,7 +85,8 @@ for %%t in ("%win_task_dir%\Defrag\ScheduledDefrag" "%win_task_dir%\DiskDiagnost schtasks /change /tn %%t /disable ) -rem The QWT installer has already enabled the "Power" service and configured settings as suggested +rem The QWT installer has already enabled the "Power" service and configured settings as suggested: +rem https://github.com/QubesOS/qubes-installer-qubes-os-windows-tools/blob/master/power_settings.bat echo Disabling hibernation... powercfg -h off || (