From 9be8850563dda6734231924fa95ebe1d9bf4ae0e Mon Sep 17 00:00:00 2001 From: Dmitry Nefedov Date: Tue, 23 Jun 2020 12:48:38 +0300 Subject: [PATCH] 23.06.2020 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Windows 10 2004 | 1903/1909 Version ## Updated - Updated help section - Updated "Turn off Cortana autostarting" section - Added "Create "Process Creation" Event Viewer Custom View" section - For this custom view to function, it is necessary to enable the following sections - Turn on events auditing generated when a process is created or starts - Include command line in process creation events - This feature allows to conveniently track the creation of suspicious processes along with the process command line argument - Go to Event Viewer - Custom View - Process Creation - Minor changes ## Версия для Windows 10 2004 | 1903/1909 ## Обновлено - Обновлен раздел справки - Обновлен раздел "Удалить Кортана из автозагрузки" - Добавлен раздел "Создать настаиваемое представление "Создание процесса" в Просмотре событий" - Чтобы функционировало данное настраиваемое представление, необходимо включить следующие разделы - Включить аудит событий, возникающих при создании или запуске процесса - Включать командную строку в событиях создания процесса - Данная опция позволяет в удобной форме отслеживать создание подозрительных процессов вместе с аргументом командной строки процесса - Перейдите в Просмотр событий — Настраиваемое представление — Создание процесса - Незначительные изменения --- LTSC.ps1 | 64 +++++++++++++++++++++++++----- Win 10 1903-1909.ps1 | 92 ++++++++++++++++++++++++++++++++++---------- Win 10 2004.ps1 | 74 ++++++++++++++++++++++++++++++----- 3 files changed, 192 insertions(+), 38 deletions(-) diff --git a/LTSC.ps1 b/LTSC.ps1 index 042662cb..d5ec24b2 100644 --- a/LTSC.ps1 +++ b/LTSC.ps1 @@ -1,9 +1,21 @@ -<# +<# .SYNOPSIS "Windows 10 Setup Script" is a set of tweaks for OS fine-tuning and automating the routine tasks + + Version: v4.4.3 + Date: 23.06.2020 + Copyright (c) 2020 farag & oZ-Zo + + Thanks to all http://forum.ru-board.com members involved + .DESCRIPTION Supported Windows 10 version: 1809 Enterprise LTSC, 17763 build, x64 + Due to the fact that the script includes about 140 functions, + you should read the entire script and comment out those sections that you do not want to be execute + + Running the script is best done on a fresh install because running the script on tweaked system may result in occurring errors + Check whether the .ps1 file is encoded in UTF-8 with BOM The script can not be executed via PowerShell ISE PowerShell must be run with elevated privileges @@ -11,15 +23,9 @@ Set execution policy to be able to run scripts only in the current PowerShell session: Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force - Running the script is best done on a fresh install .EXAMPLE PS C:\> & '.\LTSC.ps1' .NOTES - Version: v4.5.0.1 - Date: 10.06.2020 - Written by: farag & oZ-Zo - Thanks to all http://forum.ru-board.com members involved - Ask a question on http://forum.ru-board.com/topic.cgi?forum=62&topic=30617#15 https://habr.com/en/post/465365/ @@ -27,7 +33,6 @@ https://forums.mydigitallife.net/threads/powershell-script-setup-windows-10.81675/ https://www.reddit.com/r/PowerShell/comments/go2n5v/powershell_script_setup_windows_10/ - Copyright (c) 2020 farag & oZ-Zo .LINK https://github.com/farag2/Windows-10-Setup-Script #> @@ -2274,6 +2279,47 @@ if ($ProcessCreation -ne "No Auditing") New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -PropertyType DWord -Value 1 -Force } +# Create "Process Creation" Event Viewer Custom View +# Создать настаиваемое представление "Создание процесса" в Настраиваемых представлениях +if ($RU) +{ + $OutputEncoding = [System.Console]::OutputEncoding = [System.Console]::InputEncoding = [System.Text.Encoding]::UTF8 +} +$ProcessCreation = auditpol /get /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /r | ConvertFrom-Csv | Select-Object -ExpandProperty "Inclusion Setting" +if ($ProcessCreation -ne "No Auditing") +{ + $XMLfile = @" + + + + + + + Process Creation + Process Creation and Command-line Auditing Events + + + + + + + + +"@ + $ProcessCreationPath = "$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml" + # Saving ProcessCreation.xml in UTF-8 encoding + # Сохраняем ProcessCreation.xml в кодировке UTF-8 + Set-Content -Value (New-Object System.Text.UTF8Encoding).GetBytes($XMLfile) -Encoding Byte -Path $ProcessCreationPath -Force + + if ($RU) + { + [xml]$XML = Get-Content -Path $ProcessCreationPath + $XML.ViewerConfig.QueryConfig.QueryNode.Name = "Создание процесса" + $XML.ViewerConfig.QueryConfig.QueryNode.Description = "События содания нового процесса и аудит командной строки" + $xml.Save("$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml") + } +} + # Turn on logging for all Windows PowerShell modules # Включить ведение журнала для всех модулей Windows PowerShell if (-not (Test-Path -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames)) @@ -2483,4 +2529,4 @@ if ($Error) } } } | Sort-Object -Property Line | Format-Table -AutoSize -Wrap | Out-String).Trim() -} +} \ No newline at end of file diff --git a/Win 10 1903-1909.ps1 b/Win 10 1903-1909.ps1 index ced8c32d..0fdf761b 100644 --- a/Win 10 1903-1909.ps1 +++ b/Win 10 1903-1909.ps1 @@ -1,12 +1,24 @@ <# .SYNOPSIS "Windows 10 Setup Script" is a set of tweaks for OS fine-tuning and automating the routine tasks + + Version: v4.4.3 + Date: 23.06.2020 + Copyright (c) 2020 farag & oZ-Zo + + Thanks to all http://forum.ru-board.com members involved + .DESCRIPTION Supported Windows 10 version: 2004 (20H1), 19041 build, x64 Most of functions can be run also on LTSB/LTSC Tested on Home/Pro/Enterprise editions + Due to the fact that the script includes about 150 functions, + you should read the entire script and comment out those sections that you do not want to be execute + + Running the script is best done on a fresh install because running the script on tweaked system may result in occurring errors + Check whether the .ps1 file is encoded in UTF-8 with BOM The script can not be executed via PowerShell ISE PowerShell must be run with elevated privileges @@ -14,15 +26,10 @@ Set execution policy to be able to run scripts only in the current PowerShell session: Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force - Running the script is best done on a fresh install .EXAMPLE - PS C:\> & '.\Win 10.ps1' -.NOTES - Version: v4.4.3 - Date: 19.06.2020 - Written by: farag & oZ-Zo - Thanks to all http://forum.ru-board.com members involved + PS C:\> & '.\Win 10 2004.ps1' +.NOTES Ask a question on http://forum.ru-board.com/topic.cgi?forum=62&topic=30617#15 https://habr.com/en/post/465365/ @@ -30,7 +37,6 @@ https://forums.mydigitallife.net/threads/powershell-script-setup-windows-10.81675/ https://www.reddit.com/r/PowerShell/comments/go2n5v/powershell_script_setup_windows_10/ - Copyright (c) 2020 farag & oZ-Zo .LINK https://github.com/farag2/Windows-10-Setup-Script #> @@ -1954,7 +1960,7 @@ switch ($Result) "@ $StartMenuLayoutPath = "$env:TEMP\StartMenuLayout.xml" # Saving StartMenuLayout.xml in UTF-8 encoding - # Сохраняем StartMenuLayout.xml в кодирвоке UTF-8 + # Сохраняем StartMenuLayout.xml в кодировке UTF-8 Set-Content -Value (New-Object System.Text.UTF8Encoding).GetBytes($StartMenuLayout) -Encoding Byte -Path $StartMenuLayoutPath -Force # Temporarily disable changing Start layout @@ -2910,18 +2916,18 @@ if ((Get-MpPreference).EnableControlledFolderAccess -eq 1) } } -# Add exclusion folder from Microsoft Defender Antivirus scanning -# Добавить папку в список исключений сканирования Microsoft Defender +# Add exclusion folder from Windows Defender Antivirus scanning +# Добавить папку в список исключений сканирования Windows Defender if ($RU) { - $Title = "Microsoft Defender" - $Message = "Чтобы исключить папку из списка сканирования антивредоносной программы Microsoft Defender, введите необходимую букву" + $Title = "Windows Defender" + $Message = "Чтобы исключить папку из списка сканирования антивредоносной программы Windows Defender, введите необходимую букву" $Options = "&Исключить папку", "&Пропустить" } else { - $Title = "Microsoft Defender" - $Message = "To exclude folder from Microsoft Defender Antivirus Scan enter the required letter" + $Title = "Windows Defender" + $Message = "To exclude folder from Windows Defender Antivirus Scan enter the required letter" $Options = "&Exclude folder", "&Skip" } $DefaultChoice = 1 @@ -2965,18 +2971,18 @@ switch ($Result) } } -# Add exclusion file from Microsoft Defender Antivirus scanning -# Добавить файл в список исключений сканирования Microsoft Defender +# Add exclusion file from Windows Defender Antivirus scanning +# Добавить файл в список исключений сканирования Windows Defender if ($RU) { $Title = "Windows Defender" - $Message = "Чтобы исключить файл из списка сканирования антивредоносной программы Microsoft Defender, введите необходимую букву" + $Message = "Чтобы исключить файл из списка сканирования антивредоносной программы Windows Defender, введите необходимую букву" $Options = "&Исключить файл", "&Пропустить" } else { $Title = "Windows Defender" - $Message = "To exclude file from Microsoft Defender Antivirus Scan enter the required letter" + $Message = "To exclude file from Windows Defender Antivirus Scan enter the required letter" $Options = "&Exclude file", "&Skip" } $DefaultChoice = 1 @@ -3038,7 +3044,7 @@ setx /M MP_FORCE_USE_SANDBOX 1 New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Security Health\State" -Name AccountProtection_MicrosoftAccount_Disconnected -PropertyType DWord -Value 1 -Force # Dismiss Windows Defender offer in the Windows Security about to turn on the SmartScreen filter for Microsoft Edge -# Отклонить предложение Microsoft Defender в "Безопасность Windows" включить фильтр SmartScreen для Microsoft Edge +# Отклонить предложение Windows Defender в "Безопасность Windows" включить фильтр SmartScreen для Microsoft Edge New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Security Health\State" -Name AppAndBrowser_EdgeSmartScreenOff -PropertyType DWord -Value 0 -Force # Turn on events auditing generated when a process is created or starts @@ -3057,6 +3063,52 @@ if ($ProcessCreation -ne "No Auditing") New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -PropertyType DWord -Value 1 -Force } +# Create "Process Creation" Event Viewer Custom View +# Создать настаиваемое представление "Создание процесса" в Настраиваемых представлениях +if ($RU) +{ + $OutputEncoding = [System.Console]::OutputEncoding = [System.Console]::InputEncoding = [System.Text.Encoding]::UTF8 +} +$ProcessCreation = auditpol /get /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /r | ConvertFrom-Csv | Select-Object -ExpandProperty "Inclusion Setting" +if (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -ErrorAction Ignore) +{ + $ProcessCreationIncludeCmdLine_Enabled = $true +} + +if (($ProcessCreation -ne "No Auditing") -and ($ProcessCreationIncludeCmdLine_Enabled -eq $true)) +{ + $XMLfile = @" + + + + + + + Process Creation + Process Creation and Command-line Auditing Events + + + + + + + + +"@ + $ProcessCreationPath = "$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml" + # Saving ProcessCreation.xml in UTF-8 encoding + # Сохраняем ProcessCreation.xml в кодировке UTF-8 + Set-Content -Value (New-Object System.Text.UTF8Encoding).GetBytes($XMLfile) -Encoding Byte -Path $ProcessCreationPath -Force + + if ($RU) + { + [xml]$XML = Get-Content -Path $ProcessCreationPath + $XML.ViewerConfig.QueryConfig.QueryNode.Name = "Создание процесса" + $XML.ViewerConfig.QueryConfig.QueryNode.Description = "События содания нового процесса и аудит командной строки" + $xml.Save("$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml") + } +} + # Turn on logging for all Windows PowerShell modules # Включить ведение журнала для всех модулей Windows PowerShell if (-not (Test-Path -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames)) diff --git a/Win 10 2004.ps1 b/Win 10 2004.ps1 index 579da733..18d7f0a6 100644 --- a/Win 10 2004.ps1 +++ b/Win 10 2004.ps1 @@ -1,12 +1,24 @@ <# .SYNOPSIS "Windows 10 Setup Script" is a set of tweaks for OS fine-tuning and automating the routine tasks + + Version: v4.5.3 + Date: 23.06.2020 + Copyright (c) 2020 farag & oZ-Zo + + Thanks to all http://forum.ru-board.com members involved + .DESCRIPTION Supported Windows 10 version: 2004 (20H1), 19041 build, x64 Most of functions can be run also on LTSB/LTSC Tested on Home/Pro/Enterprise editions + Due to the fact that the script includes about 150 functions, + you should read the entire script and comment out those sections that you do not want to be execute + + Running the script is best done on a fresh install because running the script on tweaked system may result in occurring errors + Check whether the .ps1 file is encoded in UTF-8 with BOM The script can not be executed via PowerShell ISE PowerShell must be run with elevated privileges @@ -14,15 +26,10 @@ Set execution policy to be able to run scripts only in the current PowerShell session: Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force - Running the script is best done on a fresh install .EXAMPLE - PS C:\> & '.\Win 10.ps1' -.NOTES - Version: v4.5.2 - Date: 19.06.2020 - Written by: farag & oZ-Zo - Thanks to all http://forum.ru-board.com members involved + PS C:\> & '.\Win 10 2004.ps1' +.NOTES Ask a question on http://forum.ru-board.com/topic.cgi?forum=62&topic=30617#15 https://habr.com/en/post/465365/ @@ -30,7 +37,6 @@ https://forums.mydigitallife.net/threads/powershell-script-setup-windows-10.81675/ https://www.reddit.com/r/PowerShell/comments/go2n5v/powershell_script_setup_windows_10/ - Copyright (c) 2020 farag & oZ-Zo .LINK https://github.com/farag2/Windows-10-Setup-Script #> @@ -1962,7 +1968,7 @@ switch ($Result) "@ $StartMenuLayoutPath = "$env:TEMP\StartMenuLayout.xml" # Saving StartMenuLayout.xml in UTF-8 encoding - # Сохраняем StartMenuLayout.xml в кодирвоке UTF-8 + # Сохраняем StartMenuLayout.xml в кодировке UTF-8 Set-Content -Value (New-Object System.Text.UTF8Encoding).GetBytes($StartMenuLayout) -Encoding Byte -Path $StartMenuLayoutPath -Force # Temporarily disable changing Start layout @@ -2427,6 +2433,10 @@ if (Get-AppxPackage -Name Microsoft.ZuneVideo) # Удалить Кортана из автозагрузки if (Get-AppxPackage -AllUsers -Name Microsoft.549981C3F5F10) { + if (-not (Test-Path -Path "Registry::HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId")) + { + New-Item -Path "Registry::HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId" -Force + } New-ItemProperty -Path "Registry::HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CortanaStartupId" -Name State -PropertyType DWord -Value 1 -Force } @@ -3073,6 +3083,52 @@ if ($ProcessCreation -ne "No Auditing") New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -PropertyType DWord -Value 1 -Force } +# Create "Process Creation" Event Viewer Custom View +# Создать настаиваемое представление "Создание процесса" в Настраиваемых представлениях +if ($RU) +{ + $OutputEncoding = [System.Console]::OutputEncoding = [System.Console]::InputEncoding = [System.Text.Encoding]::UTF8 +} +$ProcessCreation = auditpol /get /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /r | ConvertFrom-Csv | Select-Object -ExpandProperty "Inclusion Setting" +if (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -ErrorAction Ignore) +{ + $ProcessCreationIncludeCmdLine_Enabled = $true +} + +if (($ProcessCreation -ne "No Auditing") -and ($ProcessCreationIncludeCmdLine_Enabled -eq $true)) +{ + $XMLfile = @" + + + + + + + Process Creation + Process Creation and Command-line Auditing Events + + + + + + + + +"@ + $ProcessCreationPath = "$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml" + # Saving ProcessCreation.xml in UTF-8 encoding + # Сохраняем ProcessCreation.xml в кодировке UTF-8 + Set-Content -Value (New-Object System.Text.UTF8Encoding).GetBytes($XMLfile) -Encoding Byte -Path $ProcessCreationPath -Force + + if ($RU) + { + [xml]$XML = Get-Content -Path $ProcessCreationPath + $XML.ViewerConfig.QueryConfig.QueryNode.Name = "Создание процесса" + $XML.ViewerConfig.QueryConfig.QueryNode.Description = "События содания нового процесса и аудит командной строки" + $xml.Save("$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml") + } +} + # Turn on logging for all Windows PowerShell modules # Включить ведение журнала для всех модулей Windows PowerShell if (-not (Test-Path -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames))