HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.84k stars 143 forks source link

Improved boot strapper for Harden Windows Security #320

Closed HenkPoley closed 3 months ago

HenkPoley commented 3 months ago

Tools category

Harden Windows Security Module

Does Your System Meet The Requirements?

Is your Windows Installation Genuine?

Did You Read The Frequently Asked Questions?

Please Explain The Bug

Another bug on Windows 11 23H2 on Windows 11 on Apple Silicon M1 (ARM), when applying the Microsoft Defender category.

It can run x86 just fine, so that's not it. I haven't looked at what it's attempting to start.

Translated log (just the last line)

14-8-2024 19:12:14: Adding process mitigations for WINWORD.EXE
14-8-2024 19:12:14: Turning on Data Execution Prevention (DEP) for all applications, including 32-bit programs
14-8-2024 19:12:14: Attempt to load a program with an incorrect format. (0x8007000B)

Log:

**********************
Harden Windows Security operation log start
Start time: 08/14/2024 19:11:34
Username: Henk Poley
Machine: WINDOWS-CQ5PGD8
Host Application: C:\Program Files\PowerShell\7
Process ID: 9024
PSVersion: 7.4.4
PSEdition: Core
GitCommitId: 7.4.4
OS Build: 10.0.22631.0
Platform: Win32NT
PSCompatibleVersions: 1.0 2.0 3.0 4.0 5.0 5.1 6.0 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
Execution Policy: Undefined
**********************
14-8-2024 19:11:35: Hello Henk Poley, Running as Administrator
14-8-2024 19:11:36: Downloading the required files
14-8-2024 19:11:37: Finished downloading/processing the required files
14-8-2024 19:11:57: Logs will be saved in: C:\Users\Henk Poley\Desktop\harden.txt
14-8-2024 19:12:02: =========================
14-8-2024 19:12:02: Processing the Microsoft Defender category function
14-8-2024 19:12:02: Running the Microsoft Defender category
14-8-2024 19:12:11: Optimizing Network Protection Performance of the Microsoft Defender
14-8-2024 19:12:12: Enabling Real-time protection and Security Intelligence Updates during OOBE
14-8-2024 19:12:12: Enabling Intel Threat Detection Technology
14-8-2024 19:12:13: Enabling Restore point scan
14-8-2024 19:12:13: Disabling Performance mode of Defender that only applies to Dev drives by lowering security
14-8-2024 19:12:13: Setting the Network Protection to block network traffic instead of displaying a warning
14-8-2024 19:12:13: Setting the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious
14-8-2024 19:12:13: Setting the Brute-Force Protection to prevent suspicious and malicious behaviors
14-8-2024 19:12:13: Setting the internal feature logic to determine blocking time for the Brute-Force Protections
14-8-2024 19:12:13: Setting the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90%
14-8-2024 19:12:13: Setting the Remote Encryption Protection to prevent suspicious and malicious behaviors
14-8-2024 19:12:13: Setting the internal feature logic to determine blocking time for the Remote Encryption Protection
14-8-2024 19:12:13: Adding OneDrive folders of all the user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
14-8-2024 19:12:14: @{PSComputerName=}
14-8-2024 19:12:14: Enabling Mandatory ASLR Exploit Protection system-wide
14-8-2024 19:12:14: Excluding GitHub Desktop Git executables from mandatory ASLR if they are found
14-8-2024 19:12:14: Excluding Git executables from mandatory ASLR if they are found
14-8-2024 19:12:14: Applying the Process Mitigations
14-8-2024 19:12:14: Removing the existing process mitigations
14-8-2024 19:12:14: Adding the process mitigations
14-8-2024 19:12:14: Adding process mitigations for Acrobat.exe
14-8-2024 19:12:14: Adding process mitigations for csrss.exe
14-8-2024 19:12:14: Adding process mitigations for EXCEL.EXE
14-8-2024 19:12:14: Adding process mitigations for explorer.exe
14-8-2024 19:12:14: Adding process mitigations for lsass.exe
14-8-2024 19:12:14: Adding process mitigations for MSACCESS.EXE
14-8-2024 19:12:14: Adding process mitigations for msedge.exe
14-8-2024 19:12:14: Adding process mitigations for msedgewebview2.exe
14-8-2024 19:12:14: Adding process mitigations for MSPUB.EXE
14-8-2024 19:12:14: Adding process mitigations for NisSrv.exe
14-8-2024 19:12:14: Adding process mitigations for OneDrive.exe
14-8-2024 19:12:14: Adding process mitigations for ONENOTE.EXE
14-8-2024 19:12:14: Adding process mitigations for OUTLOOK.EXE
14-8-2024 19:12:14: Adding process mitigations for POWERPNT.EXE
14-8-2024 19:12:14: Adding process mitigations for QuickAssist.exe
14-8-2024 19:12:14: Adding process mitigations for Regsvr32.exe
14-8-2024 19:12:14: Adding process mitigations for rundll32.exe
14-8-2024 19:12:14: Adding process mitigations for RuntimeBroker.exe
14-8-2024 19:12:14: Adding process mitigations for services.exe
14-8-2024 19:12:14: Adding process mitigations for SmartScreen.exe
14-8-2024 19:12:14: Adding process mitigations for SMSS.exe
14-8-2024 19:12:14: Adding process mitigations for vmcompute.exe
14-8-2024 19:12:14: Adding process mitigations for vmwp.exe
14-8-2024 19:12:14: Adding process mitigations for WindowsSandbox.exe
14-8-2024 19:12:14: Adding process mitigations for WindowsSandboxClient.exe
14-8-2024 19:12:14: Adding process mitigations for Wininit.exe
14-8-2024 19:12:14: Adding process mitigations for WINWORD.EXE
14-8-2024 19:12:14: Turning on Data Execution Prevention (DEP) for all applications, including 32-bit programs
14-8-2024 19:12:14: Poging om een programma te laden met een onjuiste indeling. (0x8007000B)
**********************
Harden Windows Security operation log end
End time: 14-8-2024 19:12:19
**********************

Error Details

No response

HenkPoley commented 3 months ago

Looks like it works fine when I run a PowerShell 7 where $Env:PROCESSOR_ARCHITECTURE equals to ARM64 (instead of AMD64)

(winget --id Microsoft.Powershell installs the AMD64 (x86) version..)

**********************
Harden Windows Security operation log start
Start time: 08/14/2024 19:27:17
Username: Henk Poley
Machine: WINDOWS-CQ5PGD8
Host Application: C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.4.0_arm64__8wekyb3d8bbwe
Process ID: 2044
PSVersion: 7.4.4
PSEdition: Core
GitCommitId: 7.4.4
OS Build: 10.0.22631.0
Platform: Win32NT
PSCompatibleVersions: 1.0 2.0 3.0 4.0 5.0 5.1 6.0 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
Execution Policy: Undefined
**********************
14-8-2024 19:27:17: Hello Henk Poley, Running as Administrator
14-8-2024 19:27:17: Downloading the required files
14-8-2024 19:27:18: Finished downloading/processing the required files
14-8-2024 19:27:23: =========================
14-8-2024 19:27:23: Processing the Microsoft Defender category function
14-8-2024 19:27:23: Running the Microsoft Defender category
14-8-2024 19:27:28: Optimizing Network Protection Performance of the Microsoft Defender
14-8-2024 19:27:29: Enabling Real-time protection and Security Intelligence Updates during OOBE
14-8-2024 19:27:29: Enabling Intel Threat Detection Technology
14-8-2024 19:27:29: Enabling Restore point scan
14-8-2024 19:27:29: Disabling Performance mode of Defender that only applies to Dev drives by lowering security
14-8-2024 19:27:29: Setting the Network Protection to block network traffic instead of displaying a warning
14-8-2024 19:27:29: Setting the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious
14-8-2024 19:27:29: Setting the Brute-Force Protection to prevent suspicious and malicious behaviors
14-8-2024 19:27:29: Setting the internal feature logic to determine blocking time for the Brute-Force Protections
14-8-2024 19:27:29: Setting the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90%
14-8-2024 19:27:29: Setting the Remote Encryption Protection to prevent suspicious and malicious behaviors
14-8-2024 19:27:29: Setting the internal feature logic to determine blocking time for the Remote Encryption Protection
14-8-2024 19:27:29: Adding OneDrive folders of all the user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
14-8-2024 19:27:30: @{PSComputerName=}
14-8-2024 19:27:30: Enabling Mandatory ASLR Exploit Protection system-wide
14-8-2024 19:27:30: Excluding GitHub Desktop Git executables from mandatory ASLR if they are found
14-8-2024 19:27:30: Excluding Git executables from mandatory ASLR if they are found
14-8-2024 19:27:30: Applying the Process Mitigations
14-8-2024 19:27:30: Removing the existing process mitigations
14-8-2024 19:27:30: Adding the process mitigations
14-8-2024 19:27:30: Adding process mitigations for Acrobat.exe
14-8-2024 19:27:30: Adding process mitigations for csrss.exe
14-8-2024 19:27:30: Adding process mitigations for EXCEL.EXE
14-8-2024 19:27:30: Adding process mitigations for explorer.exe
14-8-2024 19:27:30: Adding process mitigations for lsass.exe
14-8-2024 19:27:30: Adding process mitigations for MSACCESS.EXE
14-8-2024 19:27:30: Adding process mitigations for msedge.exe
14-8-2024 19:27:30: Adding process mitigations for msedgewebview2.exe
14-8-2024 19:27:30: Adding process mitigations for MSPUB.EXE
14-8-2024 19:27:30: Adding process mitigations for NisSrv.exe
14-8-2024 19:27:30: Adding process mitigations for OneDrive.exe
14-8-2024 19:27:30: Adding process mitigations for ONENOTE.EXE
14-8-2024 19:27:30: Adding process mitigations for OUTLOOK.EXE
14-8-2024 19:27:30: Adding process mitigations for POWERPNT.EXE
14-8-2024 19:27:30: Adding process mitigations for QuickAssist.exe
14-8-2024 19:27:30: Adding process mitigations for Regsvr32.exe
14-8-2024 19:27:30: Adding process mitigations for rundll32.exe
14-8-2024 19:27:30: Adding process mitigations for RuntimeBroker.exe
14-8-2024 19:27:30: Adding process mitigations for services.exe
14-8-2024 19:27:30: Adding process mitigations for SmartScreen.exe
14-8-2024 19:27:30: Adding process mitigations for SMSS.exe
14-8-2024 19:27:30: Adding process mitigations for vmcompute.exe
14-8-2024 19:27:30: Adding process mitigations for vmwp.exe
14-8-2024 19:27:30: Adding process mitigations for WindowsSandbox.exe
14-8-2024 19:27:30: Adding process mitigations for WindowsSandboxClient.exe
14-8-2024 19:27:30: Adding process mitigations for Wininit.exe
14-8-2024 19:27:30: Adding process mitigations for WINWORD.EXE
14-8-2024 19:27:30: Turning on Data Execution Prevention (DEP) for all applications, including 32-bit programs
14-8-2024 19:27:30: Turning on Smart App Control
14-8-2024 19:27:30: Enabling Optional Diagnostic Data because SAC is on or user selected to turn it on
14-8-2024 19:27:30: Getting the state of fast weekly Microsoft recommended driver block list update scheduled task
14-8-2024 19:27:32: Creating scheduled task for fast weekly Microsoft recommended driver block list update
14-8-2024 19:27:43: Logs will be saved in: C:\Users\Henk Poley\Desktop\harden_2.txt
14-8-2024 19:27:46: =========================
14-8-2024 19:27:46: Processing the Microsoft Defender category function
14-8-2024 19:27:46: Running the Microsoft Defender category
14-8-2024 19:27:50: Optimizing Network Protection Performance of the Microsoft Defender
14-8-2024 19:27:50: Enabling Real-time protection and Security Intelligence Updates during OOBE
14-8-2024 19:27:50: Enabling Intel Threat Detection Technology
14-8-2024 19:27:50: Enabling Restore point scan
14-8-2024 19:27:50: Disabling Performance mode of Defender that only applies to Dev drives by lowering security
14-8-2024 19:27:50: Setting the Network Protection to block network traffic instead of displaying a warning
14-8-2024 19:27:51: Setting the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious
14-8-2024 19:27:51: Setting the Brute-Force Protection to prevent suspicious and malicious behaviors
14-8-2024 19:27:51: Setting the internal feature logic to determine blocking time for the Brute-Force Protections
14-8-2024 19:27:51: Setting the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90%
14-8-2024 19:27:51: Setting the Remote Encryption Protection to prevent suspicious and malicious behaviors
14-8-2024 19:27:51: Setting the internal feature logic to determine blocking time for the Remote Encryption Protection
14-8-2024 19:27:51: Adding OneDrive folders of all the user accounts (personal and work accounts) to the Controlled Folder Access for Ransomware Protection
14-8-2024 19:27:51: @{PSComputerName=}
14-8-2024 19:27:51: Enabling Mandatory ASLR Exploit Protection system-wide
14-8-2024 19:27:51: Excluding GitHub Desktop Git executables from mandatory ASLR if they are found
14-8-2024 19:27:51: Excluding Git executables from mandatory ASLR if they are found
14-8-2024 19:27:51: Applying the Process Mitigations
14-8-2024 19:27:51: Removing the existing process mitigations
14-8-2024 19:27:51: Adding the process mitigations
14-8-2024 19:27:51: Adding process mitigations for Acrobat.exe
14-8-2024 19:27:51: Adding process mitigations for csrss.exe
14-8-2024 19:27:51: Adding process mitigations for EXCEL.EXE
14-8-2024 19:27:51: Adding process mitigations for explorer.exe
14-8-2024 19:27:51: Adding process mitigations for lsass.exe
14-8-2024 19:27:51: Adding process mitigations for MSACCESS.EXE
14-8-2024 19:27:51: Adding process mitigations for msedge.exe
14-8-2024 19:27:51: Adding process mitigations for msedgewebview2.exe
14-8-2024 19:27:51: Adding process mitigations for MSPUB.EXE
14-8-2024 19:27:51: Adding process mitigations for NisSrv.exe
14-8-2024 19:27:51: Adding process mitigations for OneDrive.exe
14-8-2024 19:27:51: Adding process mitigations for ONENOTE.EXE
14-8-2024 19:27:51: Adding process mitigations for OUTLOOK.EXE
14-8-2024 19:27:51: Adding process mitigations for POWERPNT.EXE
14-8-2024 19:27:51: Adding process mitigations for QuickAssist.exe
14-8-2024 19:27:51: Adding process mitigations for Regsvr32.exe
14-8-2024 19:27:51: Adding process mitigations for rundll32.exe
14-8-2024 19:27:51: Adding process mitigations for RuntimeBroker.exe
14-8-2024 19:27:51: Adding process mitigations for services.exe
14-8-2024 19:27:51: Adding process mitigations for SmartScreen.exe
14-8-2024 19:27:51: Adding process mitigations for SMSS.exe
14-8-2024 19:27:51: Adding process mitigations for vmcompute.exe
14-8-2024 19:27:51: Adding process mitigations for vmwp.exe
14-8-2024 19:27:51: Adding process mitigations for WindowsSandbox.exe
14-8-2024 19:27:51: Adding process mitigations for WindowsSandboxClient.exe
14-8-2024 19:27:51: Adding process mitigations for Wininit.exe
14-8-2024 19:27:51: Adding process mitigations for WINWORD.EXE
14-8-2024 19:27:51: Turning on Data Execution Prevention (DEP) for all applications, including 32-bit programs
14-8-2024 19:27:52: Turning on Smart App Control
14-8-2024 19:27:52: Enabling Optional Diagnostic Data because SAC is on or user selected to turn it on
14-8-2024 19:27:52: Getting the state of fast weekly Microsoft recommended driver block list update scheduled task
14-8-2024 19:27:53: Scheduled task for fast weekly Microsoft recommended driver block list update already exists and is in 3 state
**********************
Harden Windows Security operation log end
End time: 14-8-2024 19:28:50
**********************
HenkPoley commented 3 months ago

I suppose it was trying to load an ARM DLL into the AMD64 compiled pwsh.exe

There are multiple way to check the CPU type.

(Get-WmiObject Win32_Processor).Architecture, 0 = x86-32, 9 = x86-64, 12 = ARM (CPU architecture from Windows) (Get-CimInstance -ClassName Win32_ComputerSystem).SystemType, "ARM64-based PC" $Env:PROCESSOR_ARCHITECTURE, AMD64, ARM64 (architecture of PowerShell executable)

HotCakeX commented 3 months ago

The DEP part runs this command

 Set-BcdElement -Element 'nx' -Type 'Integer' -Value '3' -Force

but you said it works fine now on ARM? So the problem is related to the bootstrapper script here that installs the wrong version from Winget on ARM architecture?

HenkPoley commented 3 months ago

The MSIX installs (should install) the correct architecture. It's probably my winget install --id Microsoft.PowerShell that overwrote it with a AMD64 version.

It works fine when the 'correct' architecture is installed.

HotCakeX commented 3 months ago

The MSIX installs (should install) the correct architecture. It's probably my winget install --id Microsoft.PowerShell that overwrote it with a AMD64 version.

It works fine when the 'correct' architecture is installed.

I see, so is there something i should fix?

HotCakeX commented 3 months ago

Starting 2 years ago, Winget automatically downloads ARM packages on ARM hardware when available https://devblogs.microsoft.com/commandline/windows-package-manager-1-2/

There is -a, --architecture parameter for Winget that supports explicitly selecting architecture https://learn.microsoft.com/en-us/windows/package-manager/winget/install

Updated the bootstrapper: https://github.com/HotCakeX/Harden-Windows-Security/pull/321

The bootstrapper installs ARM version on ARM hardware and AMD64 on x64 hardware because it first tries to use Microsoft store and then it tries to use the msixbundle which holds multiple editions.