From 5f9f4381cda890b6c475efd70caf8028c1845d5d Mon Sep 17 00:00:00 2001 From: felikcat <29991266+felikcat@users.noreply.github.com> Date: Sat, 7 Dec 2024 19:29:19 -0800 Subject: [PATCH] 1.4 --- Cargo.lock | 2 +- Cargo.toml | 22 +- README.adoc | 26 +- src/common.rs | 2 +- src/gui.rs | 2 +- src/gui/disable_defender_and_smartscreen.rs | 8 +- src/gui/reduce_forensics.rs | 21 +- src/gui/reduce_online_data_collection.rs | 332 ++++++-------------- 8 files changed, 139 insertions(+), 276 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3b6f755..6ff8e23 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,7 +4,7 @@ version = 4 [[package]] name = "W11Boost" -version = "1.3.0" +version = "1.4.0" dependencies = [ "chrono", "curl", diff --git a/Cargo.toml b/Cargo.toml index 45be310..102cecd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,10 +1,19 @@ [package] name = "W11Boost" -version = "1.3.0" +version = "1.4.0" edition = "2024" build = "build.rs" authors = ["felikcat"] +[package.metadata.winres] +CompanyName = "felikcat" +FileDescription = "https://github.com/felikcat/W11Boost" +FileVersion = "1.4.0.0" +LegalCopyright = "© 2024 felikcat, AGPL3 License" +OriginalFilename = "W11Boost.exe" +ProductName = "W11Boost" +ProductVersion = "1.4.0.0" + # Optimize for size. [profile.release] strip = true @@ -52,13 +61,4 @@ features = [ ] [build-dependencies] -winres = "0.1.12" - -[package.metadata.winres] -CompanyName = "felikcat" -FileDescription = "https://github.com/felikcat/W11Boost" -FileVersion = "1.3.0.0" -LegalCopyright = "© 2024 felikcat, AGPL3 License" -OriginalFilename = "W11Boost.exe" -ProductName = "W11Boost" -ProductVersion = "1.3.0.0" +winres = "0.1.12" \ No newline at end of file diff --git a/README.adoc b/README.adoc index 405c40c..e951a91 100644 --- a/README.adoc +++ b/README.adoc @@ -11,8 +11,22 @@ endif::[] image:W11Boost_GUI.png[480,360] -W11Boost currently globally changes settings. It's not meant for shared computers, as it will change settings that may not be suitable for other users. -Although, the default checkbox selection is safe for most users as it is as close to stock unmodified Windows as possible without being ineffective. +W11Boost globally changes settings. It's not meant for shared computers. Despite this, the default checkbox selection is safe for most users as it is as close to stock unmodified Windows as possible without being ineffective. + +.Features that stick out: +- All changes are easily revertable through the Group Policy Editor. +** To quickly remove all changes by W11Boost, delete `C:\Windows\System32\GroupPolicy\Machine\Registry.pol` and `C:\Windows\System32\GroupPolicy\User\Registry.pol`, then reboot. +- A focus on being non-intrusive. For example, we don't disable syncing to a Microsoft account, instead we suggest an alternative if that is desired. + +- "Disable Defender and Smartscreen" being a replacement for Sordum's Defender Control v2.1, the prior best tool for the job. + +- Optional anti-forensics. + +- A way to disable sleep and hibernation fully for specific use cases. + +- Windows Store and WinGet installers, aimed towards LTSC builds that lack both by default. + +- Written in Rust instead of PowerShell or Batch, meaning it is more predictable and robust. == 1. If not using Enterprise or LTSC or Education, convert the Windows edition to Education @@ -32,16 +46,16 @@ Although, the default checkbox selection is safe for most users as it is as clos - Only Windows 10 version 1803 and newer are officially supported. - The near guarantee of breaking no program or app is only for the default selection of checkboxes. -- "Reduce local data collection" is very aggressive, it compromises security for ultimate privacy. It will make forensics on your computer difficult. - -- "Reduce online data collection" will change how you use Windows; this also affects the security of Windows. +- "Reduce local data collection" won't change how you use Windows. - Installing the Microsoft Store and .appx support is generally for LTSC builds of Windows, but works on any edition regardless. -- "Disable Defender and Smartscreen" is a replacement for Sordum's Defender Control v2.1. +- "Reduce online data collection" will change how you use Windows. - "Disable Virtualization Based Security" is meant to boost FPS in games and especially make VMs (VirtualBox & VMWare) run faster. +. If you wish to reduce the amount of network traffic to and from Microsoft, use https://github.com/henrypp/simplewall[simplewall]. + . Install https://winaerotweaker.com/[Winaero Tweaker] to set personal preferences. . Download https://github.com/beatcracker/toptout/archive/refs/heads/master.zip[toptout] and open PowerShell as administrator: diff --git a/src/common.rs b/src/common.rs index c411708..97bbe27 100644 --- a/src/common.rs +++ b/src/common.rs @@ -300,7 +300,7 @@ pub fn center() -> (i32, i32) { } pub fn init_registry_gpo( - hkey: windows::Win32::System::Registry::HKEY, + mut hkey: windows::Win32::System::Registry::HKEY, ) -> Result<(windows::Win32::System::Registry::HKEY, IGroupPolicyObject), Box> { unsafe { // The apartment thread model is required for GPOs. diff --git a/src/gui.rs b/src/gui.rs index 2f5b38a..57d1224 100644 --- a/src/gui.rs +++ b/src/gui.rs @@ -138,7 +138,7 @@ pub fn draw_gui() -> Result<(), Box> { checkbox.set_label_font(enums::Font::by_name(&font)); checkbox.set_label_size(16); } - let hklm_safe = HKEY::HKEY_LOCAL_MACHINE + my_checkboxes[2].set_value(true); my_checkboxes[8].set_value(true); diff --git a/src/gui/disable_defender_and_smartscreen.rs b/src/gui/disable_defender_and_smartscreen.rs index 99f35ab..a4f5096 100644 --- a/src/gui/disable_defender_and_smartscreen.rs +++ b/src/gui/disable_defender_and_smartscreen.rs @@ -2,20 +2,20 @@ use crate::common::*; //use fltk::dialog; use windows::{core::w, Win32::System::{GroupPolicy::IGroupPolicyObject, Registry::{HKEY, HKEY_LOCAL_MACHINE}}}; use std::error::Error; -//use winsafe::{HKEY as SAFE_HKEY, prelude::advapi_Hkey}; +//use winsafe::{HKEY as HKEY_SAFE, prelude::advapi_Hkey}; pub fn run() -> Result<(), Box> { let (hklm, gpo_hklm): (HKEY, IGroupPolicyObject) = init_registry_gpo(HKEY_LOCAL_MACHINE)?; /* Not necessary, for now. - let hklm = SAFE_HKEY::LOCAL_MACHINE; + let hklm_safe = HKEY_SAFE::LOCAL_MACHINE; let tamper_disabled = check_dword( - &hklm, + &hklm_safe, r"SOFTWARE\Microsoft\Windows Defender\Features", "TamperProtection", 4, )?; let realtime_disabled = check_dword( - &hklm, + &hklm_safe, r"SOFTWARE\Microsoft\Windows Defender\Real-Time Protection", "DisableRealtimeMonitoring", 1, diff --git a/src/gui/reduce_forensics.rs b/src/gui/reduce_forensics.rs index 32b9674..01ffcb2 100644 --- a/src/gui/reduce_forensics.rs +++ b/src/gui/reduce_forensics.rs @@ -4,6 +4,11 @@ use windows::{core::w, Win32::System::{GroupPolicy::IGroupPolicyObject, Registry use crate::common::*; +/* Ignored for security reasons: + - PowerShell module logging + - Event Viewer +*/ + pub fn run() -> Result<(), Box> { let (hklm, gpo_hklm): (HKEY, IGroupPolicyObject) = init_registry_gpo(HKEY_LOCAL_MACHINE)?; let (hkcu, gpo_hkcu): (HKEY, IGroupPolicyObject) = init_registry_gpo(HKEY_CURRENT_USER)?; @@ -242,14 +247,6 @@ pub fn run() -> Result<(), Box> { 1, )?; - // Disable Event Logging. - set_string_gpo( - hklm, - w!(r"SYSTEM\CurrentControlSet\Services\EventLog"), - w!("Start"), - w!("4"), - )?; - // Disable File History. set_dword_gpo( hklm, @@ -258,14 +255,6 @@ pub fn run() -> Result<(), Box> { 1, )?; - // Disable PowerShell module logging. - set_dword_gpo( - hklm, - w!(r"SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging"), - w!("EnableModuleLogging"), - 0, - )?; - save_registry_gpo(hklm, gpo_hklm)?; save_registry_gpo(hkcu, gpo_hkcu)?; diff --git a/src/gui/reduce_online_data_collection.rs b/src/gui/reduce_online_data_collection.rs index df2257b..e479aff 100644 --- a/src/gui/reduce_online_data_collection.rs +++ b/src/gui/reduce_online_data_collection.rs @@ -1,320 +1,180 @@ +use windows::{core::w, Win32::System::{GroupPolicy::IGroupPolicyObject, Registry::{HKEY, HKEY_LOCAL_MACHINE}}}; + use crate::common::*; use std::error::Error; -use winsafe::{HKEY, prelude::advapi_Hkey}; -/* Ignored: +/* Ignored for security or usability reasons: - Find My Device - Windows Update + - Syncing to a Microsoft account */ pub fn run() -> Result<(), Box> { - let hklm = HKEY::LOCAL_MACHINE; + let (hklm, gpo_hklm): (HKEY, IGroupPolicyObject) = init_registry_gpo(HKEY_LOCAL_MACHINE)?; // Don't allow online tips. - set_dword( - &hklm, - r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips", - "AllowOnlineTips", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips"), + w!("AllowOnlineTips"), 1, )?; // Don't allow users to enable online speech recongition services. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\InputPersonalization", - "AllowInputPersonalization", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\InputPersonalization"), + w!("AllowInputPersonalization"), 0, )?; // Remove Personalized Website Recommendations from the Recommended section in the Start Menu. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Explorer", - "HideRecommendedPersonalizedSites", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Explorer"), + w!("HideRecommendedPersonalizedSites"), 1, )?; // Turn off account-based insights, recent, favorite, and recommended files in File Explorer. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Explorer", - "HideRecommendedSection", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Explorer"), + w!("HideRecommendedSection"), 1, )?; // Prevent device metadata retrieval from the Internet. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Device Metadata", - "PreventDeviceMetadataFromNetwork", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Device Metadata"), + w!("PreventDeviceMetadataFromNetwork"), 1, )?; // Turn off Search Companion content file updates. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\SearchCompanion", - "DisableContentFileUpdates", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\SearchCompanion"), + w!("DisableContentFileUpdates"), 1, )?; // Don't allow Clipboard synchronization across devices. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\System", - "AllowCrossDeviceClipboard", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\System"), + w!("AllowCrossDeviceClipboard"), 0, )?; // Don't allow downloading updates to the Disk Failure Prediction Model. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\StorageHealth", - "AllowDiskHealthModelUpdates", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\StorageHealth"), + w!("AllowDiskHealthModelUpdates"), 0, )?; // Don't allow sideloaded apps to auto-update in the background. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Appx", - "DisableBackgroundAutoUpdates", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Appx"), + w!("DisableBackgroundAutoUpdates"), 0, )?; // "Cloud optimized content / Windows experiences" are used for advertising, but aren't disabled in defaults.rs to keep the OS "stock". - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\CloudContent", - "DisableCloudOptimizedContent", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\CloudContent"), + w!("DisableCloudOptimizedContent"), 1, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\CloudContent", - "DisableConsumerAccountStateContent", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\CloudContent"), + w!("DisableConsumerAccountStateContent"), 1, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\CloudContent", - "DisableSoftLanding", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\CloudContent"), + w!("DisableSoftLanding"), 1, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\CloudContent", - "DisableSoftLanding", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\CloudContent"), + w!("DisableSoftLanding"), 1, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\CloudContent", - "DisableWindowsConsumerFeatures", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\CloudContent"), + w!("DisableWindowsConsumerFeatures"), 1, )?; - // Don't allow Windows to sync cellular messages to Mircosoft's cloud services. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Messaging", - "AllowMessageSync", + // Don't allow Windows to sync cellular messages to Microsoft's cloud services. + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Messaging"), + w!("AllowMessageSync"), 0, )?; // Disable an old virtual assistant that excessively used the internet and violated privacy. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", - "AllowCortana", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Windows Search"), + w!("AllowCortana"), 0, )?; // Disable Windows Search from using the "cloud" / internet. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", - "AllowCloudSearch", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Windows Search"), + w!("AllowCloudSearch"), 0, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", - "DisableWebSearch", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Windows Search"), + w!("DisableWebSearch"), 1, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", - "EnableDynamicContentInWSB", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Windows Search"), + w!("EnableDynamicContentInWSB"), 1, )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\Windows Search", - "ConnectedSearchUseWeb", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Windows\Windows Search"), + w!("ConnectedSearchUseWeb"), 0, )?; // Don't automatically download a new speech model. - set_dword( - &hklm, - r"Machine\SOFTWARE\Policies\Microsoft\Speech", - "AllowSpeechModelUpdate", + set_dword_gpo( + hklm, + w!(r"Machine\SOFTWARE\Policies\Microsoft\Speech"), + w!("AllowSpeechModelUpdate"), 0, )?; - // Don't sync any data to Microsoft. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableAccessibilitySettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableAccessibilitySettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableAppSyncSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableAppSyncSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableApplicationSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableApplicationSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableCredentialsSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableCredentialsSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableDesktopThemeSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableDesktopThemeSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableLanguageSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableLanguageSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisablePersonalizationSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisablePersonalizationSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableStartLayoutSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableStartLayoutSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableWebBrowserSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableWebBrowserSettingSyncUserOverride", - 1, - )?; - - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableWindowsSettingSync", - 2, - )?; - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Windows\SettingSync", - "DisableWindowsSettingSyncUserOverride", - 1, - )?; - // Don't show News and Interests or other widgets. - set_dword( - &hklm, - r"SOFTWARE\Policies\Microsoft\Dsh", - "AllowNewsAndInterests", + set_dword_gpo( + hklm, + w!(r"SOFTWARE\Policies\Microsoft\Dsh"), + w!("AllowNewsAndInterests"), 0, )?; + + save_registry_gpo(hklm, gpo_hklm)?; Ok(()) }