From 000f23f027e34aff148be50867a75b9dcb65174a Mon Sep 17 00:00:00 2001 From: he3als <65787561+he3als@users.noreply.github.com> Date: Sun, 9 Jul 2023 18:00:43 +0100 Subject: [PATCH] feat: remove PROMPTS.ps1 & add mitigations options --- src/Configuration/tweaks.yml | 3 +- .../tweaks/scripts/script-mitigations.yml | 10 ++++ .../tweaks/scripts/script-prompts.yml | 10 ---- .../tweaks/statuses/status-prompts.yml | 6 -- src/Executables/PROMPTS.ps1 | 58 ------------------- 5 files changed, 11 insertions(+), 76 deletions(-) create mode 100644 src/Configuration/tweaks/scripts/script-mitigations.yml delete mode 100644 src/Configuration/tweaks/scripts/script-prompts.yml delete mode 100644 src/Configuration/tweaks/statuses/status-prompts.yml diff --git a/src/Configuration/tweaks.yml b/src/Configuration/tweaks.yml index 8ed6b57977..9b2e429547 100644 --- a/src/Configuration/tweaks.yml +++ b/src/Configuration/tweaks.yml @@ -14,8 +14,6 @@ features: # Configure PowerShell first so that other PowerShell scripts work - tweaks\qol\config-powershell.yml - - tweaks\statuses\status-prompts.yml - - tweaks\scripts\script-prompts.yml - tweaks\statuses\status-ngen.yml - tweaks\scripts\script-ngen.yml @@ -333,6 +331,7 @@ features: - tweaks\statuses\status-scripts.yml - tweaks\scripts\script-storage-sense.yml - tweaks\scripts\script-core-isolation.yml + - tweaks\scripts\script-mitigations.yml - tweaks\scripts\script-devices.yml - tweaks\scripts\script-cleanup.yml - tweaks\scripts\script-startmenu.yml diff --git a/src/Configuration/tweaks/scripts/script-mitigations.yml b/src/Configuration/tweaks/scripts/script-mitigations.yml new file mode 100644 index 0000000000..7e3c7abcf3 --- /dev/null +++ b/src/Configuration/tweaks/scripts/script-mitigations.yml @@ -0,0 +1,10 @@ +--- +title: Disable Mitigations +description: Disables mitigations in Windows dependant on the user's options +privilege: TrustedInstaller +actions: + - !run: + exe: 'C:\Users\Default\Desktop\Atlas\3. Configuration\1. General Configuration\Mitigations\Disable All Mitigations.cmd' + args: '/silent' + wait: true + options: 'mitigations-disable' diff --git a/src/Configuration/tweaks/scripts/script-prompts.yml b/src/Configuration/tweaks/scripts/script-prompts.yml deleted file mode 100644 index 39d0a71dac..0000000000 --- a/src/Configuration/tweaks/scripts/script-prompts.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Show User Prompts -description: Shows prompts to the user to toggle certain features like VBS or Defender -privilege: TrustedInstaller -actions: - - !run: - exe: 'powershell.exe' - args: '-NoP -File PROMPTS.ps1' - exeDir: true - wait: true diff --git a/src/Configuration/tweaks/statuses/status-prompts.yml b/src/Configuration/tweaks/statuses/status-prompts.yml deleted file mode 100644 index b04e5f3ed2..0000000000 --- a/src/Configuration/tweaks/statuses/status-prompts.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Status in AME Wizard for PowerShell Prompts -description: Displays a status in AME Wizard for a specified category -privilege: TrustedInstaller -actions: - - !writeStatus: {status: 'Waiting for user prompts'} \ No newline at end of file diff --git a/src/Executables/PROMPTS.ps1 b/src/Executables/PROMPTS.ps1 index 73401780d5..16002ec943 100644 --- a/src/Executables/PROMPTS.ps1 +++ b/src/Executables/PROMPTS.ps1 @@ -32,62 +32,4 @@ if ($intButton -eq '6') { # if 'Yes' $loggedinUsername = (Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty UserName) -replace '^.*\\' $mitigationScriptPath = "C:\Users\$loggedInUsername\Desktop\Atlas\3. Configuration\1. General Configuration\Mitigations\Disable All Mitigations.cmd" Start-Process -WindowStyle Hidden -FilePath "$mitigationScriptPath" -ArgumentList "/silent" -} - -<# - -------------------------- - Core Isolation - -------------------------- -#> - -$WindowTitle = 'Core Isolation - Atlas' - -$Message = @' -Would you like to enable Core Isolation (Virtualization Based Security)? - -Core Isolation is a feature in Windows that aims to protect very important parts of the operating system. Its main feature is called Memory Integrity. - -This prevents attackers, malware or compromised programs from using vulnerabilities within drivers or other important components of Windows to gain access to the operating system. - -Although this improves security, it will significantly worsen performance (up to ~10% in some cases), especially on older CPUs like Intel 8th gen or AMD Zen 2, but it is even impactful on recent CPUs. - -You can configure this later in Windows Security app. - -Automatically selecting 'No' in 5 minutes, which will disable Core Isolation features... -'@ - -# Default option is 'No' -$intButton = '7' -$intButton = $sh.Popup($Message,300,$WindowTitle,4+48+0) - -$memIntegrity = "HKLM:\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -$kernelShadowStacks = "HKLM:\System\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks" -$credentialGuard = "HKLM:\System\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" - -if ($intButton -eq '7') { # if 'No' - Write-Host Disabling VBS features... - - # Memory Integrity - if (Test-Path $memIntegrity) { - New-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 0 -PropertyType DWORD -Force - Remove-ItemProperty -Path $memIntegrity -Name "ChangedInBootCycle" -ErrorAction SilentlyContinue - Remove-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -ErrorAction SilentlyContinue - } - - # Kernel-mode Hardware-enforced Stack Protection (Windows 11 only) - if (Test-Path $kernelShadowStacks) { - New-ItemProperty -Path $kernelShadowStacks -Name "Enabled" -Value 0 -PropertyType DWORD -Force - Remove-ItemProperty -Path $kernelShadowStacks -Name "ChangedInBootCycle" -ErrorAction SilentlyContinue - Remove-ItemProperty -Path $kernelShadowStacks -Name "WasEnabledBy" -ErrorAction SilentlyContinue - } - - # Credential Guard (Windows 11 only) - if (Test-Path $credentialGuard) { - New-ItemProperty -Path $credentialGuard -Name "Enabled" -Value 0 -PropertyType DWORD -Force - Remove-ItemProperty -Path $credentialGuard -Name "ChangedInBootCycle" -ErrorAction SilentlyContinue - Remove-ItemProperty -Path $credentialGuard -Name "WasEnabledBy" -ErrorAction SilentlyContinue - } -} else { - Set-ItemProperty -Path $memIntegrity -Name "Enabled" -Value 1 -Type DWord - Set-ItemProperty -Path $memIntegrity -Name "WasEnabledBy" -Value 2 -Type DWord } \ No newline at end of file