diff --git a/src/Sophia_Script_for_Windows_10/Module/Sophia.psm1 b/src/Sophia_Script_for_Windows_10/Module/Sophia.psm1 index 6c1b35ae..690328f2 100644 --- a/src/Sophia_Script_for_Windows_10/Module/Sophia.psm1 +++ b/src/Sophia_Script_for_Windows_10/Module/Sophia.psm1 @@ -13982,6 +13982,7 @@ function EventViewerCustomView } "Disable" { + # Unlike in Windows 11 default value for Windows 10 is "disable" auditpol /set /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -Force -ErrorAction Ignore Set-Policy -Scope Computer -Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -Type CLEAR diff --git a/src/Sophia_Script_for_Windows_10_PowerShell_7/Module/Sophia.psm1 b/src/Sophia_Script_for_Windows_10_PowerShell_7/Module/Sophia.psm1 index 26c69f3a..d15bc884 100644 --- a/src/Sophia_Script_for_Windows_10_PowerShell_7/Module/Sophia.psm1 +++ b/src/Sophia_Script_for_Windows_10_PowerShell_7/Module/Sophia.psm1 @@ -58,20 +58,23 @@ function InitialActions [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + # Import PowerShell 5.1 modules + Import-Module -Name Microsoft.PowerShell.Management, PackageManagement, Appx -UseWindowsPowerShell + # Extract strings from %SystemRoot%\System32\shell32.dll using its number # https://github.com/SamuelArnold/StarKill3r/blob/master/Star%20Killer/Star%20Killer/bin/Debug/Scripts/SANS-SEC505-master/scripts/Day1-PowerShell/Expand-IndirectString.ps1 # [WinAPI.GetStrings]::GetIndirectString("@%SystemRoot%\system32\schedsvc.dll,-100") # https://github.com/PowerShell/PowerShell/issues/21070 - $Script:CompilerParameters = [System.CodeDom.Compiler.CompilerParameters]::new("System.dll") - $Script:CompilerParameters.TempFiles = [System.CodeDom.Compiler.TempFileCollection]::new($env:TEMP, $false) - $Script:CompilerParameters.GenerateInMemory = $true + $Script:CompilerOptions = [System.CodeDom.Compiler.CompilerParameters]::new("System.dll") + $Script:CompilerOptions.TempFiles = [System.CodeDom.Compiler.TempFileCollection]::new($env:TEMP, $false) + $Script:CompilerOptions.GenerateInMemory = $true $Signature = @{ Namespace = "WinAPI" Name = "GetStrings" Language = "CSharp" UsingNamespace = "System.Text" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName); @@ -126,7 +129,7 @@ public static string GetIndirectString(string indirectString) Namespace = "WinAPI" Name = "ForegroundWindow" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); @@ -829,9 +832,6 @@ public static extern bool SetForegroundWindow(IntPtr hWnd); # Save all opened folders in order to restore them after File Explorer restart $Script:OpenedFolders = {(New-Object -ComObject Shell.Application).Windows() | ForEach-Object -Process {$_.Document.Folder.Self.Path}}.Invoke() - # Import PowerShell 5.1 modules - Import-Module -Name Microsoft.PowerShell.Management, PackageManagement, Appx -UseWindowsPowerShell - <# .SYNOPSIS The "Show menu" function with the up/down arrow keys and enter key to make a selection @@ -4904,8 +4904,8 @@ function Cursors Namespace = "WinAPI" Name = "Cursor" Language = "CSharp" - CompilerParameters = $CompilerParameters - MemberDefinition = @" + CompilerOptions = $CompilerOptions + MemberDefinition = @" [DllImport("user32.dll", EntryPoint = "SystemParametersInfo")] public static extern bool SystemParametersInfo(uint uiAction, uint uiParam, uint pvParam, uint fWinIni); "@ @@ -5142,7 +5142,7 @@ function OneDrive Namespace = "WinAPI" Name = "DeleteFiles" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public enum MoveFileFlags { @@ -5655,7 +5655,7 @@ function TempFolder Namespace = "WinAPI" Name = "DeleteFiles" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public enum MoveFileFlags { @@ -5779,7 +5779,7 @@ Unregister-ScheduledTask -TaskName SymbolicLink -Confirm:`$false Namespace = "WinAPI" Name = "DeleteFiles" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public enum MoveFileFlags { @@ -7340,7 +7340,7 @@ function Set-UserShellFolderLocation Namespace = "WinAPI" Name = "KnownFolders" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("shell32.dll")] public extern static int SHSetKnownFolderPath(ref Guid folderId, uint flags, IntPtr token, [MarshalAs(UnmanagedType.LPWStr)] string path); @@ -9220,7 +9220,7 @@ function Set-Association Name = "Action" Language = "CSharp" UsingNamespace = "System.Text", "System.Security.AccessControl", "Microsoft.Win32" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("advapi32.dll", CharSet = CharSet.Auto)] private static extern int RegOpenKeyEx(UIntPtr hKey, string subKey, int ulOptions, int samDesired, out UIntPtr hkResult); @@ -9690,7 +9690,7 @@ public static int UnloadHive(RegistryHives hive, string subKey) Namespace = "WinAPI" Name = "PatentHash" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public static uint[] WordSwap(byte[] a, int sz, byte[] md5) { @@ -9936,7 +9936,7 @@ public static long MakeLong(uint left, uint right) Namespace = "WinAPI" Name = "Signature" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("shell32.dll", CharSet = CharSet.Auto, SetLastError = false)] private static extern int SHChangeNotify(int eventId, int flags, IntPtr item1, IntPtr item2); @@ -14008,6 +14008,7 @@ function EventViewerCustomView } "Disable" { + # Unlike in Windows 11 default value for Windows 10 is "disable" auditpol /set /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /success:disable /failure:disable Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -Force -ErrorAction Ignore Set-Policy -Scope Computer -Path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -Type CLEAR @@ -15368,7 +15369,7 @@ function PostActions Namespace = "WinAPI" Name = "UpdateEnvironment" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" private static readonly IntPtr HWND_BROADCAST = new IntPtr(0xffff); private const int WM_SETTINGCHANGE = 0x1a; diff --git a/src/Sophia_Script_for_Windows_11_PowerShell_7/Module/Sophia.psm1 b/src/Sophia_Script_for_Windows_11_PowerShell_7/Module/Sophia.psm1 index 08a8f89b..c719fb76 100644 --- a/src/Sophia_Script_for_Windows_11_PowerShell_7/Module/Sophia.psm1 +++ b/src/Sophia_Script_for_Windows_11_PowerShell_7/Module/Sophia.psm1 @@ -57,20 +57,23 @@ function InitialActions [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + # Import PowerShell 5.1 modules + Import-Module -Name Microsoft.PowerShell.Management, PackageManagement, Appx -UseWindowsPowerShell + # Extract strings from %SystemRoot%\System32\shell32.dll using its number # https://github.com/SamuelArnold/StarKill3r/blob/master/Star%20Killer/Star%20Killer/bin/Debug/Scripts/SANS-SEC505-master/scripts/Day1-PowerShell/Expand-IndirectString.ps1 # [WinAPI.GetStrings]::GetIndirectString("@%SystemRoot%\system32\schedsvc.dll,-100") # https://github.com/PowerShell/PowerShell/issues/21070 - $Script:CompilerParameters = [System.CodeDom.Compiler.CompilerParameters]::new("System.dll") - $Script:CompilerParameters.TempFiles = [System.CodeDom.Compiler.TempFileCollection]::new($env:TEMP, $false) - $Script:CompilerParameters.GenerateInMemory = $true + $Script:CompilerOptions = [System.CodeDom.Compiler.CompilerParameters]::new("System.dll") + $Script:CompilerOptions.TempFiles = [System.CodeDom.Compiler.TempFileCollection]::new($env:TEMP, $false) + $Script:CompilerOptions.GenerateInMemory = $true $Signature = @{ Namespace = "WinAPI" Name = "GetStrings" Language = "CSharp" UsingNamespace = "System.Text" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName); @@ -125,7 +128,7 @@ public static string GetIndirectString(string indirectString) Namespace = "WinAPI" Name = "ForegroundWindow" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); @@ -914,11 +917,21 @@ public static extern bool SetForegroundWindow(IntPtr hWnd); # Extract the localized "Skip" string from shell32.dll $Script:Skip = [WinAPI.GetStrings]::GetString(16956) + Write-Information -MessageData "┏┓ ┓ • ┏┓ • ┏ ┓ ┏• ┓ " -InformationAction Continue + Write-Information -MessageData "┗┓┏┓┏┓┣┓┓┏┓ ┗┓┏┏┓┓┏┓╋ ╋┏┓┏┓ ┃┃┃┓┏┓┏┫┏┓┓┏┏┏" -InformationAction Continue + Write-Information -MessageData "┗┛┗┛┣┛┛┗┗┗┻ ┗┛┗┛ ┗┣┛┗ ┛┗┛┛ ┗┻┛┗┛┗┗┻┗┛┗┻┛┛" -InformationAction Continue + Write-Information -MessageData " ┛ ┛ " -InformationAction Continue + + Write-Information -MessageData "https://t.me/sophianews" -InformationAction Continue + Write-Information -MessageData "https://t.me/sophia_chat" -InformationAction Continue + Write-Information -MessageData "https://discord.gg/sSryhaEv79" -InformationAction Continue + # Display a warning message about whether a user has customized the preset file if ($Warning) { # Get the name of a preset (e.g Sophia.ps1) regardless it was named # $_.File has no EndsWith() method + Write-Information -MessageData "" -InformationAction Continue $PresetName = Split-Path -Path (((Get-PSCallStack).Position | Where-Object -FilterScript {$_.File}).File | Where-Object -FilterScript {$_.EndsWith(".ps1")}) -Leaf Write-Verbose -Message ($Localization.CustomizationWarning -f $PresetName) -Verbose @@ -4478,11 +4491,11 @@ function Cursors # Reload cursor on-the-fly $Signature = @{ - Namespace = "WinAPI" - Name = "Cursor" - Language = "CSharp" - CompilerParameters = $CompilerParameters - MemberDefinition = @" + Namespace = "WinAPI" + Name = "Cursor" + Language = "CSharp" + CompilerOptions = $CompilerOptions + MemberDefinition = @" [DllImport("user32.dll", EntryPoint = "SystemParametersInfo")] public static extern bool SystemParametersInfo(uint uiAction, uint uiParam, uint pvParam, uint fWinIni); "@ @@ -4719,7 +4732,7 @@ function OneDrive Namespace = "WinAPI" Name = "DeleteFiles" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public enum MoveFileFlags { @@ -5232,7 +5245,7 @@ function TempFolder Namespace = "WinAPI" Name = "DeleteFiles" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public enum MoveFileFlags { @@ -5356,7 +5369,7 @@ Unregister-ScheduledTask -TaskName SymbolicLink -Confirm:`$false Namespace = "WinAPI" Name = "DeleteFiles" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public enum MoveFileFlags { @@ -7118,7 +7131,7 @@ function Set-UserShellFolderLocation Namespace = "WinAPI" Name = "KnownFolders" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("shell32.dll")] public extern static int SHSetKnownFolderPath(ref Guid folderId, uint flags, IntPtr token, [MarshalAs(UnmanagedType.LPWStr)] string path); @@ -8794,7 +8807,7 @@ function Set-Association Name = "Action" Language = "CSharp" UsingNamespace = "System.Text", "System.Security.AccessControl", "Microsoft.Win32" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("advapi32.dll", CharSet = CharSet.Auto)] private static extern int RegOpenKeyEx(UIntPtr hKey, string subKey, int ulOptions, int samDesired, out UIntPtr hkResult); @@ -9264,7 +9277,7 @@ public static int UnloadHive(RegistryHives hive, string subKey) Namespace = "WinAPI" Name = "PatentHash" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" public static uint[] WordSwap(byte[] a, int sz, byte[] md5) { @@ -9510,7 +9523,7 @@ public static long MakeLong(uint left, uint right) Namespace = "WinAPI" Name = "Signature" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" [DllImport("shell32.dll", CharSet = CharSet.Auto, SetLastError = false)] private static extern int SHChangeNotify(int eventId, int flags, IntPtr item1, IntPtr item2); @@ -14536,7 +14549,7 @@ function PostActions Namespace = "WinAPI" Name = "UpdateEnvironment" Language = "CSharp" - CompilerOptions = $CompilerParameters + CompilerOptions = $CompilerOptions MemberDefinition = @" private static readonly IntPtr HWND_BROADCAST = new IntPtr(0xffff); private const int WM_SETTINGCHANGE = 0x1a;