diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/AppControlManager/View.cs b/Harden-Windows-Security Module/Main files/C#/GUI/AppControlManager/View.cs index f95fa3bb8..7323c44e6 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/AppControlManager/View.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/AppControlManager/View.cs @@ -14,6 +14,7 @@ using System.Windows.Controls; using System.Windows.Markup; using System.Windows.Media.Imaging; +using Microsoft.Win32; using Windows.ApplicationModel; using Windows.Management.Deployment; @@ -352,6 +353,36 @@ await Task.Run(() => Logger.LogMessage($"AppControl Manager installation has been successful.", LogTypeIntel.InformationInteractionRequired); + try + { + string registryPath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"; + string registryName = "ValidateAdminCodeSignatures"; + + using (RegistryKey? key = Registry.LocalMachine.OpenSubKey(registryPath)) + { + if (key is not null) + { + // Get the registry value + object? registryValue = key.GetValue(registryName); + + if (registryValue is not null && string.Equals(registryValue.ToString(), "1", StringComparison.OrdinalIgnoreCase)) + { + + Logger.LogMessage("Warning: A policy named 'Only elevate executables that are signed and validated' " + + "is conflicting with the AppControl Manager app and won't let it start because it's self-signed " + + "with your on-device keys. Please disable the policy. It can be found in Group Policy Editor -> " + + "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> " + + "'User Account Control: Only elevate executable files that are signed and validated'", LogTypeIntel.WarningInteractionRequired); + + } + } + } + } + catch + { + Logger.LogMessage("Could not verify that 'Only Elevate signed' policy is not active.", LogTypeIntel.Warning); + } + }); } diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Confirm/View.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Confirm/View.cs index 2ff588da0..32a93ae20 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/Confirm/View.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/Confirm/View.cs @@ -389,7 +389,7 @@ private void UpdateTotalCount(bool ShowNotification) } // Display a notification if it's allowed to do so, and ShowNotification is set to true - if (GlobalVars.UseNewNotificationsExp && ShowNotification) + if (ShowNotification) { ToastNotification.Show(ToastNotification.Type.EndOfConfirmation, CompliantItemsCount, NonCompliantItemsCount, null, null); } diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs index d518bb22f..36b075023 100644 --- a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs +++ b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs @@ -723,10 +723,7 @@ await Task.Run(() => } } - if (GlobalVars.UseNewNotificationsExp) - { - ToastNotification.Show(ToastNotification.Type.EndOfProtection, null, null, null, null); - } + ToastNotification.Show(ToastNotification.Type.EndOfProtection, null, null, null, null); } else { diff --git a/Harden-Windows-Security Module/Main files/C#/Others/DialogMsgHelper.cs b/Harden-Windows-Security Module/Main files/C#/Others/DialogMsgHelper.cs index a9df5ccb1..a766873ef 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/DialogMsgHelper.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/DialogMsgHelper.cs @@ -22,7 +22,7 @@ internal static void Show(string Message, string? Title = "An Error Occurred") { Title = Title, Width = 450, - Height = 300, + Height = 350, WindowStartupLocation = WindowStartupLocation.CenterScreen, ResizeMode = ResizeMode.NoResize diff --git a/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs b/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs index b49c9d1ed..26f57f08d 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/GlobalVars.cs @@ -65,11 +65,6 @@ public static class GlobalVars // The path to the LGPO.exe utility internal static string? LGPOExe; - // A flag to determine whether the new notifications experience should be used or not - // It won't be used if there is an interferences detected with DLL load due to other addons being loaded in the PowerShell session - // Such as PowerToys' CommandNotFound or WinGet's PowerShell module - public static bool UseNewNotificationsExp = true; - // Initialize the RegistryCSVItems list so that the HardeningRegistryKeys.ReadCsv() method can write to it internal static readonly List RegistryCSVItems = []; diff --git a/Harden-Windows-Security Module/Main files/C#/Others/ToastNotification.cs b/Harden-Windows-Security Module/Main files/C#/Others/ToastNotification.cs index 1e897afdc..2ba5b3ef2 100644 --- a/Harden-Windows-Security Module/Main files/C#/Others/ToastNotification.cs +++ b/Harden-Windows-Security Module/Main files/C#/Others/ToastNotification.cs @@ -20,9 +20,6 @@ public enum Type /// /// Displays modern toast notification on Windows - /// The caller must check for GlobalVars.UseNewNotificationsExp and if it's true then use this method - /// So that it will only display the notifications if the required DLLs have been loaded in the PowerShell session via Add-Type - /// That is different than the DLLs being made available to the Add-Type during C# code compilation /// /// The type of the toast notification to use public static void Show(Type Type, string? TotalCompliantValues, string? TotalNonCompliantValues, string? UnprotectCategory, string? BitLockerEncryptionTab) diff --git a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 index a9929d317..5907c4924 100644 --- a/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 +++ b/Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1 @@ -41,8 +41,8 @@ function Confirm-SystemCompliance { if (-NOT ([HardenWindowsSecurity.UserPrivCheck]::IsAdmin())) { Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator' } + try { LoadHardenWindowsSecurityNecessaryDLLsInternal } catch { Write-Verbose $global:ReRunText; ReRunTheModuleAgain $MyInvocation.Statement } [HardenWindowsSecurity.Initializer]::Initialize($VerbosePreference) - if (-NOT $Offline) { [HardenWindowsSecurity.Logger]::LogMessage('Checking for updates...', [HardenWindowsSecurity.LogTypeIntel]::Information) Update-HardenWindowsSecurity -InvocationStatement $MyInvocation.Statement diff --git a/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1 index 67a2a7518..685115e30 100644 --- a/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1 +++ b/Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1 @@ -271,6 +271,7 @@ Function Protect-WindowsSecurity { } } begin { + try { LoadHardenWindowsSecurityNecessaryDLLsInternal } catch { Write-Verbose $global:ReRunText; ReRunTheModuleAgain -C $MyInvocation.Statement } $script:ErrorActionPreference = 'Stop' [HardenWindowsSecurity.Initializer]::Initialize($VerbosePreference) [System.Boolean]$ErrorsOccurred = $false diff --git a/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1 b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1 index 43bfff64f..0c01d59a8 100644 --- a/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1 +++ b/Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1 @@ -23,6 +23,7 @@ Function Unprotect-WindowsSecurity { if (-NOT ([HardenWindowsSecurity.UserPrivCheck]::IsAdmin())) { Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator' } + try { LoadHardenWindowsSecurityNecessaryDLLsInternal } catch { Write-Verbose $global:ReRunText; ReRunTheModuleAgain $MyInvocation.Statement } $script:ErrorActionPreference = 'Stop' [HardenWindowsSecurity.Initializer]::Initialize($VerbosePreference) [HardenWindowsSecurity.Logger]::LogMessage('Checking for updates...', [HardenWindowsSecurity.LogTypeIntel]::Information) diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 index a0329e48f..5fdfca4d4 100644 --- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 +++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1 @@ -12,7 +12,7 @@ PowerShellVersion = '7.4.5' RequiredAssemblies = @() NestedModules = @('Core\Confirm-SystemCompliance.psm1', 'Core\Protect-WindowsSecurity.psm1', 'Core\Unprotect-WindowsSecurity.psm1') - FunctionsToExport = @('Confirm-SystemCompliance', 'Protect-WindowsSecurity', 'Unprotect-WindowsSecurity', 'Update-HardenWindowsSecurity') + FunctionsToExport = @('Confirm-SystemCompliance', 'Protect-WindowsSecurity', 'Unprotect-WindowsSecurity', 'Update-HardenWindowsSecurity', 'LoadHardenWindowsSecurityNecessaryDLLsInternal', 'ReRunTheModuleAgain') CmdletsToExport = @() VariablesToExport = '*' AliasesToExport = @() diff --git a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 index 05346aeb7..d69ce7ee3 100644 --- a/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 +++ b/Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psm1 @@ -76,14 +76,12 @@ function Update-HardenWindowsSecurity { } } } - try { $PSStyle.Progress.UseOSCIndicator = $true # Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session Set-PSReadLineKeyHandler -Key 'Tab' -Function 'MenuComplete' } catch {} - $ToastNotificationDLLs = [System.Collections.Generic.List[System.String]]::new() $ToastNotificationDLLs.Add([System.IO.Path]::Combine($PSScriptRoot, 'DLLs', 'Toast Notifications', 'Microsoft.Toolkit.Uwp.Notifications.dll')) $ToastNotificationDLLs.Add([System.IO.Path]::Combine($PSScriptRoot, 'DLLs', 'Toast Notifications', 'Microsoft.Win32.SystemEvents.dll')) @@ -96,20 +94,14 @@ $ToastNotificationDLLs.Add([System.IO.Path]::Combine($PSScriptRoot, 'DLLs', 'Toa # https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/ Add-Type -Path ([System.IO.Directory]::GetFiles("$PSScriptRoot\C#", '*.*', [System.IO.SearchOption]::AllDirectories)) -ReferencedAssemblies @((Get-Content -Path "$PSScriptRoot\.NETAssembliesToLoad.txt") + "$($PSHOME)\WindowsBase.dll" + $ToastNotificationDLLs) -CompilerOptions '/langversion:preview', '/nowarn:1701', '/nullable:enable', '/checked' -try { +Function LoadHardenWindowsSecurityNecessaryDLLsInternal { # when we use the -ReferencedAssemblies parameter of Add-Type, The DLLs are only added and made available to the C# compilation, not the PowerShell host itself - # In order to display the toast notifications, they needed to be added to the PowerShell itself as well + # In order to display the toast notifications and other codes that rely on them, they needed to be added to the PowerShell itself as well foreach ($DLLPath in $ToastNotificationDLLs) { Add-Type -Path $DLLPath } } -catch { - [HardenWindowsSecurity.GlobalVars]::UseNewNotificationsExp = $false -} -try { - [HardenWindowsSecurity.GlobalVars]::Host = $HOST -} -catch { - [HardenWindowsSecurity.GlobalVars]::Host = $null -} -[HardenWindowsSecurity.GlobalVars]::path = $PSScriptRoot \ No newline at end of file +try { [HardenWindowsSecurity.GlobalVars]::Host = $HOST }catch { [HardenWindowsSecurity.GlobalVars]::Host = $null } +[HardenWindowsSecurity.GlobalVars]::path = $PSScriptRoot +Function ReRunTheModuleAgain($C) { pwsh.exe -NoProfile -NoLogo -NoExit -command $C } +$global:ReRunText = 'Re-running the module because of a possible dependency conflict with other modules such as CommandNotFound in PowerToys' \ No newline at end of file diff --git a/Harden-Windows-Security Module/Main files/Resources/XAML/AppControlManager.xaml b/Harden-Windows-Security Module/Main files/Resources/XAML/AppControlManager.xaml index 5ec5de92c..40e4ef55a 100644 --- a/Harden-Windows-Security Module/Main files/Resources/XAML/AppControlManager.xaml +++ b/Harden-Windows-Security Module/Main files/Resources/XAML/AppControlManager.xaml @@ -10,7 +10,7 @@ -