Merge branch 'dev' into defender-toggle

.vscode/settings.json

@@ -0,0 +1,16 @@
+{
+    "yaml.customTags": [
+        "!run: mapping",
+        "!registryKey: mapping",
+        "!registryValue: mapping",
+        "!appx: mapping",
+        "!file: mapping",
+        "!service: mapping",
+        "!scheduledTask: mapping",
+        "!taskKill: mapping",
+        "!systemPackage: mapping",
+        "!cmd: mapping",
+        "!powerShell: mapping",
+        "!writeStatus: mapping"
+    ],
+}

src/playbook/Configuration/tweaks.yml

@@ -61,6 +61,7 @@ features:
   - tweaks\performance\disable-background-apps.yml
   - tweaks\performance\extend-cache.yml
   - tweaks\performance\no-search-invalid-shortcuts.yml
+  - tweaks\performance\disable-fth.yml
 
   # -------------------------------------------------------------------------- #
   #  performance\system                                                        #

src/playbook/Configuration/tweaks/performance/disable-fth.yml

@@ -0,0 +1,17 @@
+---
+title: Disable Fault Tolerant Heap (FTH)
+description: FTH is a feature in Windows 7+ that applies mitigations (non-CPU related) to applications that repeatedly crash to prevent further crashes, but when the FTH is active for a certain application, there's a performance hit.
+privilege: TrustedInstaller
+actions:
+    # https://devblogs.microsoft.com/oldnewthing/20120125-00/?p=8463
+    # Document listed as only affected in Windows 7, is also in 7+
+    # https://docs.microsoft.com/en-us/windows/win32/win7appqual/fault-tolerant-heap
+    # https://www.3dcadworld.com/windows-7-fault-tolerant-heap-prevents-crashing/
+
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Microsoft\FTH'
+    value: 'Enabled'
+    data: '0'
+    type: REG_DWORD
+    # Reset FTH entries
+  - !run: {exe: 'rundll32.exe', args: 'fthsvc.dll,FthSysprepSpecialize'}

src/playbook/Executables/Atlas/3. Configuration/1. General Configuration/Mitigations/Disable All Mitigations.cmd

@@ -13,15 +13,6 @@ whoami /user | find /i "S-1-5-18" > nul 2>&1 || (
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f > nul
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f > nul
 
-:: Rename Spectre and Meltdown updates
-ren !windir!\System32\mcupdate_GenuineIntel.dll mcupdate_GenuineIntel.old
-ren !windir!\System32\mcupdate_AuthenticAMD.dll mcupdate_AuthenticAMD.old
-
-:: Disable Fault Tolerant Heap (FTH)
-:: https://docs.microsoft.com/en-us/windows/win32/win7appqual/fault-tolerant-heap
-:: Document listed as only affected in Windows 7, is also in 7+
-reg add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f > nul
-
 :: Disable Structured Exception Handling Overwrite Protection (SEHOP)
 :: Exists in ntoskrnl strings, keep for now
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f > nul
@@ -42,24 +33,18 @@ for /l %%a in (0,1,9) do (
 )
 
 :: Fix Valorant with mitigations disabled - enable CFG
-for %%a in (valorant valorant-win64-shipping vgtray vgc) do (
-    PowerShell -NoP -C "Set-ProcessMitigation -Name %%a.exe -Enable CFG" > nul
-)
+set "enableCFGApps=valorant valorant-win64-shipping vgtray vgc"
+PowerShell -NoP -C "foreach ($a in $($env:enableCFGApps -split ' ')) {Set-ProcessMitigation -Name $a`.exe -Enable CFG}" > nul
+
+:: Set Data Execution Prevention (DEP) only for operating system components
+:: https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
+:: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set#verification-settings
+bcdedit /set nx OptIn > nul
 
 :: Apply mask to kernel
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "!mitigation_mask!" /f > nul
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "!mitigation_mask!" /f > nul
 
-:: Disable virtualization-based protection of code integrity
-:: https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d "0" /f > nul
-
-:: Disable Data Execution Prevention (DEP)
-:: It may be needed to enable it for FACEIT, Valorant and other anti-cheats
-:: https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
-PowerShell -NoP -C "Set-ProcessMitigation -System -Disable DEP, EmulateAtlThunks"
-bcdedit /set nx AlwaysOff > nul
-
 :: Disable file system mitigations
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f > nul
 

src/playbook/Executables/Atlas/3. Configuration/1. General Configuration/Mitigations/Enable All Mitigations.cmd

@@ -24,15 +24,6 @@ wmic cpu get name | findstr "AMD" > nul && (
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "64" /f > nul
 )
 
-:: Rename Spectre and Meltdown updates
-ren !windir!\System32\mcupdate_GenuineIntel.old mcupdate_GenuineIntel.dll > nul 2>&1
-ren !windir!\System32\mcupdate_AuthenticAMD.old mcupdate_AuthenticAMD.dll > nul 2>&1
-
-:: Enable Fault Tolerant Heap (FTH)
-:: https://docs.microsoft.com/en-us/windows/win32/win7appqual/fault-tolerant-heap
-:: Document listed as only affected in Windows 7, is also in 7+
-reg add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "1" /f > nul
-
 :: Enable Structured Exception Handling Overwrite Protection (SEHOP)
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "0" /f > nul
 
@@ -53,11 +44,7 @@ for /l %%a in (0,1,9) do (
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationAuditOptions" /t REG_BINARY /d "!mitigation_mask!" /f > nul
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "MitigationOptions" /t REG_BINARY /d "!mitigation_mask!" /f > nul
 
-:: Set Virtualization Based Protection Of Code Integrity to default
-:: https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d "1" /f > nul
-
-:: Enable Data Execution Prevention (DEP)
+:: Enable Data Execution Prevention (DEP) always
 :: https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
 bcdedit /set nx AlwaysOn > nul
 

src/playbook/Executables/Atlas/3. Configuration/1. General Configuration/Mitigations/Fault Tolerant Heap/Disable FTH.reg

@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH]
+"Enabled"=dword:00000000

src/playbook/Executables/Atlas/3. Configuration/1. General Configuration/Mitigations/Fault Tolerant Heap/Enable FTH.reg

@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH]
+"Enabled"=dword:00000001

src/playbook/Executables/Atlas/3. Configuration/1. General Configuration/Mitigations/Set Windows Default Mitigations.cmd

@@ -10,15 +10,6 @@ whoami /user | find /i "S-1-5-18" > nul 2>&1 || (
 reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /f > nul 2>&1
 reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /f > nul 2>&1
 
-:: Rename Spectre and Meltdown updates
-ren !windir!\System32\mcupdate_GenuineIntel.old mcupdate_GenuineIntel.dll > nul 2>&1
-ren !windir!\System32\mcupdate_AuthenticAMD.old mcupdate_AuthenticAMD.dll > nul 2>&1
-
-:: Enable Fault Tolerant Heap (FTH)
-:: https://docs.microsoft.com/en-us/windows/win32/win7appqual/fault-tolerant-heap
-:: Document listed as only affected in Windows 7, is also in 7+
-reg add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "1" /f > nul
-
 :: Enable Structured Exception Handling Overwrite Protection (SEHOP)
 reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /f > nul 2>&1
 
@@ -30,9 +21,9 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "Mi
 :: https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
 reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f > nul 2>&1
 
-:: Enable Data Execution Prevention (DEP) for system components only
+:: Set Data Execution Prevention (DEP) only for operating system components
 :: https://docs.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
-:: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+:: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set#verification-settings
 bcdedit /set nx OptIn > nul
 
 :: Enable file system mitigations

src/playbook/playbook.conf

@@ -37,7 +37,7 @@
 					<Name>defender-disable</Name>
 				</RadioOption>
 			</Options>
-			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/placeholder"/>
+			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/security/#defender"/>
 		</RadioPage>
 		<RadioPage IsRequired="true" DefaultOption="mitigations-default" Description="Disabling mitigations reduces security, yet improves performance only on older CPUs.">
 			<TopLine Text="You can change this later in the Atlas folder."/>
@@ -51,7 +51,7 @@
 					<Name>mitigations-disable</Name>
 				</RadioOption>
 			</Options>
-			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/configuration/#mitigations"/>
+			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/security/#mitigations"/>
 		</RadioPage>
 		<RadioPage IsRequired="true" DefaultOption="vbs-disable" Description="Enabling Core Isolation protects important parts of Windows, but it reduces performance.">
 			<TopLine Text="You can change this later in Windows Security."/>
@@ -65,7 +65,7 @@
 					<Name>vbs-default</Name>
 				</RadioOption>
 			</Options>
-			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/configuration/#core-isolation"/>
+			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/security/#core-isolation"/>
 		</RadioPage>
 		<CheckboxPage IsRequired="true" Description="Select the miscellaneous options that you would like to use, which you can change later.">
 			<Options>
@@ -110,7 +110,7 @@
 					<GradientBottomColor>#E38A84</GradientBottomColor>
 				</RadioImageOption>
 			</Options>
-			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/placeholder"/>
+			<BottomLine Text="Learn more" Link="https://docs.atlasos.net/getting-started/post-installation/software/web-browsers"/>
 		</RadioImagePage>
 		<RadioPage IsRequired="true" DependsOn="browser-librewolf" DefaultOption="librewolf-winupdater" Description="Please select how you would like LibreWolf to be installed.">
 			<TopLine Text="Chocolatey needs manual updates, unlike normal."/>