44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve and unify disabling of Windows services

Browse Source 
Refactor, unify and improve the logic to to start/stop and
enable/disable services, and also add more documentation.

Rework functions:
  - Unify way of disabling Windows services using templating.
  - Capitalize as `startupMode` (where startup is single word) everywhere.
  - Use also text parameters (automatic, manual..) instead of numeric
    values (2,3...) when providing parameters to any service disable
    function.

Improve documentation:
  - Add reference URLs about disabled services.
  - Add more code documentation for querying status and allowed values.

Logic improvements include:
  - Check if service is running before stopping/starting the service.
  - Do not start the service it's not an Automatic service.
  - Check whether service is already disabled.
  - When reverting, start the service if it has Automatic startup. But
    do not start the service it has different startup (e.g. manual).
    Also starts the service even though start up is configured as
    desired (before it quit before doing service start).

Improve outputs (logs):
  - Remove false-positive error messages.
  - When a service cannot be stopped/start; mention in output that the
    service will be started/stopped after reboot.
  - Show success message once service is enabled/disabled.
  - Fix reboot messages when enabling/disabling services,
  - Do not write stderr if service cannot be stopped/started as it's not
    not the main goal of the function.

Add missing revert code for the ones missing them:
  - Disable diagnostics telemetry
  - Disable Windows Media Player Network Sharing Service

> Function: DisableServiceInRegistry
- Fix not exitting if service does not exist when reverting
- Show success message once service is enabled/disabled
- Fix double "Enabled.." messages
- Fix unintended registry addition

> Function: DisablePerUserService
- Change implementation to call DisableServiceInRegistry.
- Fix both services are skipped if one of them fails.
- Fix reverting a service sets wrong startup mode.
This commit is contained in:
undergroundwires
2021-11-25 21:34:15 +01:00
parent 7c02ffb6c9
commit 70cdf3865a
1 changed files with 499 additions and 228 deletions
Download Patch File Download Diff File Expand all files Collapse all files

727
src/application/collections/windows.yaml
View File

@@ -573,17 +573,42 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
- -
name: Disable diagnostics telemetry category: Disable diagnostics telemetry services
recommend: standard children:
code: |- -
reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f name: Disable connected user experiences and telemetry service # Connected User Experiences and Telemetry
reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushsvc" /v "Start" /t REG_DWORD /d 4 /f recommend: standard
reg add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f docs: http://batcmd.com/windows/10/services/diagtrack/
reg add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d 4 /f call:
sc stop "DiagTrack" & sc config "DiagTrack" start=disabled function: DisableService
sc stop "dmwappushservice" & sc config "dmwappushservice" start=disabled parameters:
sc stop "diagnosticshub.standardcollector.service" & sc config "diagnosticshub.standardcollector.service" start=disabled serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType
sc stop "diagsvc" & sc config "diagsvc" start=disabled defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable WAP push message routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service
recommend: standard
docs: http://batcmd.com/windows/10/services/dmwappushservice/
call:
function: DisableService
parameters:
serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable diagnostics hub standard collector service # Microsoft (R) Diagnostics Hub Standard Collector
docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/
call:
function: DisableService
parameters:
serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable diagnostic execution service # Diagnostic Execution Service
docs: http://batcmd.com/windows/10/services/diagsvc/
call:
function: DisableService
parameters:
serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Disable Customer Experience Improvement Program name: Disable Customer Experience Improvement Program
recommend: standard recommend: standard
@@ -669,40 +694,53 @@ actions:
name: Disable error reporting name: Disable error reporting
recommend: standard recommend: standard
docs: docs:
- https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings # Settings
- https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 - https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings
code: |- - https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493
:: Disable Windows Error Reporting (WER) # Windows Error Reporting Service
reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f - http://batcmd.com/windows/10/services/wersvc/
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f # Problem Reports Control Panel Support
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data - http://batcmd.com/windows/10/services/wercplsupport/
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f call:
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f -
:: Disable WER sending second-level data function: RunInlineCode
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f parameters:
:: Disable WER crash dialogs, popups code: |-
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f :: Disable Windows Error Reporting (WER)
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f
:: Disable Windows Error Reporting Service :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
sc stop "WerSvc" & sc config "WerSvc" start=disabled reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f
sc stop "wercplsupport" & sc config "wercplsupport" start=disabled reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f
revertCode: |- :: Disable WER sending second-level data
:: Enable Windows Error Reporting (WER) reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f :: Disable WER crash dialogs, popups
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f revertCode: |-
:: Enable WER sending second-level data :: Enable Windows Error Reporting (WER)
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
:: Enable WER crash dialogs, popups reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f
:: Enable Windows Error Reporting Service :: Enable WER sending second-level data
sc config "WerSvc" start=demand reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f
sc config "wercplsupport" start=demand :: Enable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable
- # Windows Error Reporting Service
function: DisableService
parameters:
serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- # Problem Reports Control Panel Support
function: DisableService
parameters:
serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
category: Disable automatic driver updates by Windows Update category: Disable automatic driver updates by Windows Update
children: children:
@@ -1431,15 +1469,16 @@ actions:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
- -
name: Do not start Windows Biometric Service name: Disable Windows Biometric Service
recommend: strict recommend: strict
docs: https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service docs:
code: |- - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 4 /f - http://batcmd.com/windows/10/services/wbiosrvc/
sc stop "WbioSrvc" & sc config "WbioSrvc" start=disabled call:
revertCode: |- function: DisableService
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 2 /f parameters:
sc config "WbioSrvc" start=demand serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Disable Wi-Fi sense name: Disable Wi-Fi sense
recommend: standard recommend: standard
@@ -1500,10 +1539,15 @@ actions:
children: children:
- -
name: Disable Windows Insider Service name: Disable Windows Insider Service
docs: https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service docs:
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service
- http://batcmd.com/windows/10/services/wisvc/
recommend: standard recommend: standard
code: sc stop "wisvc" & sc config "wisvc" start=disabled call:
revertCode: sc config "wisvc" start=demand function: DisableService
parameters:
serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Do not let Microsoft try features on this build name: Do not let Microsoft try features on this build
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation
@@ -1656,9 +1700,13 @@ actions:
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 0 /f
- -
name: Stop and disable Visual Studio Standard Collector Service name: Stop and disable Visual Studio Standard Collector Service
# Collects logs for Diagnostics Hub
recommend: standard recommend: standard
code: sc stop "VSStandardCollectorService150" & sc config "VSStandardCollectorService150" start=disabled call:
revertCode: sc config "VSStandardCollectorService150" start=auto & sc start "VSStandardCollectorService150" function: DisableService
parameters:
serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
name: Disable NET Core CLI telemetry name: Disable NET Core CLI telemetry
recommend: standard recommend: standard
@@ -1872,12 +1920,18 @@ actions:
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE
# - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b) # - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b)
# name: Disable ClickToRun Service Monitor # name: Disable ClickToRun Service Monitor
# code: |- # docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx
# schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE # call:
# sc stop "ClickToRunSvc" & sc config "ClickToRunSvc" start=disabled # -
# revertCode: |- # function: RunInlineCode
# schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE # parameters:
# sc config "ClickToRunSvc" start=auto & sc start "ClickToRunSvc" # code: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE
# revertCode: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE
# -
# function: DisableService
# parameters:
# serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType
# defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
name: Disable Subscription Heartbeat name: Disable Subscription Heartbeat
code: |- code: |-
@@ -2055,54 +2109,97 @@ actions:
- -
name: Disable Google update service name: Disable Google update service
recommend: standard recommend: standard
code: |- docs:
sc stop "gupdate" & sc config "gupdate" start=disabled - https://websetnet.net/how-to-disable-google-chrome-automatic-updates-in-windows-10/
sc stop "gupdatem" & sc config "gupdatem" start=disabled - https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25791.html #gupdate
schtasks /change /disable /tn "GoogleUpdateTaskMachineCore" - https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-26582.html #gupdatem
schtasks /change /disable /tn "GoogleUpdateTaskMachineUA" call:
revertCode: |- -
sc config "gupdate" start=auto & sc start "gupdate" function: RunInlineCode
sc config "gupdatem" start=auto & sc start "gupdatem" parameters:
schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore" code: |-
schtasks /change /enable /tn "GoogleUpdateTaskMachineUA" schtasks /change /disable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /disable /tn "GoogleUpdateTaskMachineUA"
revertCode: |-
schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /enable /tn "GoogleUpdateTaskMachineUA"
-
function: DisableService
parameters:
serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
name: Disable Adobe Acrobat update service name: Disable Adobe Acrobat update service
recommend: standard recommend: standard
code: |- call:
sc stop "AdobeARMservice" & sc config "AdobeARMservice" start=disabled -
sc stop "adobeupdateservice" & sc config "adobeupdateservice" start=disabled function: DisableService
sc stop "adobeflashplayerupdatesvc" & sc config "adobeflashplayerupdatesvc" start=disabled parameters:
schtasks /change /tn "Adobe Acrobat Update Task" /disable serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType
schtasks /change /tn "Adobe Flash Player Updater" /disable defaultStartupMode: Automatic # Allowed values: Automatic | Manual
revertCode: |- -
sc config "AdobeARMservice" start=auto & sc start "AdobeARMservice" function: DisableService
sc config "adobeupdateservice" start=auto & sc start "adobeupdateservice" parameters:
sc config "adobeflashplayerupdatesvc" start=auto & sc start "adobeflashplayerupdatesvc" serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType
schtasks /change /tn "Adobe Acrobat Update Task" /enable defaultStartupMode: Automatic # Allowed values: Automatic | Manual
schtasks /change /tn "Adobe Flash Player Updater" /enable -
function: DisableService
parameters:
serviceName: adobeflashplayerupdatesvc # Check: (Get-Service -Name adobeflashplayerupdatesvc).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: RunInlineCode
parameters:
code: |-
schtasks /change /tn "Adobe Acrobat Update Task" /disable
schtasks /change /tn "Adobe Flash Player Updater" /disable
revertCode: |-
schtasks /change /tn "Adobe Acrobat Update Task" /enable
schtasks /change /tn "Adobe Flash Player Updater" /enable
- -
name: Disable Razer Game Scanner Service name: Disable Razer Game Scanner Service
recommend: standard recommend: standard
code: sc stop "Razer Game Scanner Service" & sc config "Razer Game Scanner Service" start=disabled call:
revertCode: sc config "Razer Game Scanner Service" start=demand function: DisableService
parameters:
serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Disable Logitech Gaming Registry Service name: Disable Logitech Gaming Registry Service
recommend: standard recommend: standard
code: sc stop "LogiRegistryService" & sc config "LogiRegistryService" start=disabled call:
revertCode: sc config "LogiRegistryService" start=auto & sc start "LogiRegistryService" function: DisableService
parameters:
serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
name: Disable Dropbox auto update service name: Disable Dropbox auto update service
recommend: standard recommend: standard
code: |- call:
sc stop "dbupdate" & sc config "dbupdate" start=disabled -
sc stop "dbupdatem" & sc config "dbupdatem" start=disabled function: DisableService
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore" parameters:
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA" serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType
revertCode: |- defaultStartupMode: Automatic # Allowed values: Automatic | Manual
sc config "dbupdate" start=auto & sc start "dbupdate" -
sc config "dbupdatem" start=auto & sc start "dbupdatem" function: DisableService
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore" parameters:
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA" serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: RunInlineCode
parameters:
code: |-
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA"
revertCode: |-
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA"
- -
category: Disable Media Player data collection category: Disable Media Player data collection
children: children:
@@ -2120,8 +2217,13 @@ actions:
reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
- -
name: Disable Windows Media Player Network Sharing Service name: Disable Windows Media Player Network Sharing Service
docs: http://batcmd.com/windows/10/services/wmpnetworksvc/
recommend: standard recommend: standard
code: sc stop "WMPNetworkSvc" & sc config "WMPNetworkSvc" start=disabled call:
function: DisableService
parameters:
serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Disable CCleaner Monitoring name: Disable CCleaner Monitoring
code: |- code: |-
@@ -3992,8 +4094,8 @@ actions:
- -
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters: parameters:
serviceName: MpsSvc serviceName: MpsSvc # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc").Start
defaultStartUpMode: 2 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
- -
function: RenameSystemFile function: RenameSystemFile
parameters: parameters:
@@ -4021,8 +4123,8 @@ actions:
- -
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters: parameters:
serviceName: mpsdrv serviceName: mpsdrv # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpsdrv").Start
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
- -
function: RenameSystemFile function: RenameSystemFile
parameters: parameters:
@@ -4104,8 +4206,8 @@ actions:
- -
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters: parameters:
serviceName: Sense serviceName: Sense # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense").Start
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
- -
function: RenameSystemFile function: RenameSystemFile
parameters: parameters:
@@ -4228,19 +4330,28 @@ actions:
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul
- -
name: Disable automatic updates name: Disable automatic updates
docs: https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 docs:
code: |- - https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f - http://batcmd.com/windows/10/services/usosvc/
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f call:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f -
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f function: RunInlineCode
sc stop "UsoSvc" & sc config "UsoSvc" start=disabled parameters:
revertCode: |- code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime /f 2>nul reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
sc config "UsoSvc" start=auto & sc start "UsoSvc" revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime /f 2>nul
-
function: DisableService
parameters:
serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
category: UI for privacy category: UI for privacy
children: children:
@@ -4415,100 +4526,150 @@ actions:
- -
name: Delivery Optimization (P2P Windows Updates) name: Delivery Optimization (P2P Windows Updates)
recommend: standard recommend: standard
code: sc stop "DoSvc" & sc config "DoSvc" start=disabled docs: http://batcmd.com/windows/10/services/dosvc/
revertCode: sc config "DoSvc" start=auto & sc start "DoSvc" call:
function: DisableService
parameters:
serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
name: Microsoft Windows Live ID Service name: Microsoft Windows Live ID Service
recommend: standard recommend: standard
code: sc stop "wlidsvc" & sc config "wlidsvc" start=demand docs: http://batcmd.com/windows/10/services/wlidsvc/
revertCode: sc config "wlidsvc" start=demand call:
function: DisableService
parameters:
serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Program Compatibility Assistant Service name: Program Compatibility Assistant Service
recommend: standard recommend: standard
code: sc stop "PcaSvc" & sc config "PcaSvc" start=disabled docs: http://batcmd.com/windows/10/services/pcasvc/
revertCode: sc config "PcaSvc" start=demand call:
function: DisableService
parameters:
serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Downloaded Maps Manager name: Downloaded Maps Manager
recommend: standard recommend: standard
code: sc stop "MapsBroker" & sc config "MapsBroker" start=disabled docs: http://batcmd.com/windows/10/services/mapsbroker/
revertCode: sc config "MapsBroker" start=auto & sc start "MapsBroker" call:
function: DisableService
parameters:
serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
name: Microsoft Retail Demo experience name: Microsoft Retail Demo experience
recommend: standard recommend: standard
code: sc stop "RetailDemo" & sc config "RetailDemo" start=disabled docs: http://batcmd.com/windows/10/services/retaildemo/
revertCode: sc config "RetailDemo" start=demand call:
function: DisableService
parameters:
serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
category: Mail, contact, calendar and user data synchronization category: Mail, contact, calendar and user data synchronization
children: children:
- -
name: User Data Storage (UnistoreSvc) Service name: User Data Storage (UnistoreSvc) Service
docs: http://batcmd.com/windows/10/services/unistoresvc/
recommend: strict recommend: strict
call: call:
function: DisablePerUserService function: DisablePerUserService
parameters: parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start
serviceName: UnistoreSvc serviceName: UnistoreSvc
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
- -
name: Sync Host (OneSyncSvc) Service Service name: Sync Host (OneSyncSvc) Service Service
docs: http://batcmd.com/windows/10/services/onesyncsvc/
recommend: strict recommend: strict
call: call:
function: DisablePerUserService function: DisablePerUserService
parameters: parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start
serviceName: OneSyncSvc serviceName: OneSyncSvc
defaultStartUpMode: 2 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
- -
name: Contact data indexing name: Contact data indexing
docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/
call: call:
function: DisablePerUserService function: DisablePerUserService
parameters: parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_*").Start
serviceName: PimIndexMaintenanceSvc serviceName: PimIndexMaintenanceSvc
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
- -
name: App user data access name: App user data access
docs: http://batcmd.com/windows/10/services/userdatasvc/
call: call:
function: DisablePerUserService function: DisablePerUserService
parameters: parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start
serviceName: UserDataSvc serviceName: UserDataSvc
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
- -
name: Text messaging name: Text messaging
docs: http://batcmd.com/windows/10/services/messagingservice/
call: call:
function: DisablePerUserService function: DisablePerUserService
parameters: parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start
serviceName: MessagingService serviceName: MessagingService
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
- -
name: Windows Push Notification Service name: Windows Push Notification Service
recommend: standard recommend: standard
docs: https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue docs: https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue
code: sc stop "WpnService" & sc config "WpnService" start=disabled call:
revertCode: sc config "WpnService" start=auto & sc start "WpnService" function: DisableService
parameters:
serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- -
category: Disable Xbox services category: Disable Xbox services
children: children:
- -
name: Xbox Live Auth Manager name: Xbox Live Auth Manager
recommend: standard recommend: standard
code: sc stop "XblAuthManager" & sc config "XblAuthManager" start=disabled call:
revertCode: sc config "XblAuthManager" start=demand function: DisableService
parameters:
serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Xbox Live Game Save name: Xbox Live Game Save
recommend: standard recommend: standard
code: sc stop "XblGameSave" & sc config "XblGameSave" start=disabled call:
revertCode: sc config "XblGameSave" start=demand function: DisableService
parameters:
serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Xbox Live Networking Service name: Xbox Live Networking Service
recommend: standard recommend: standard
code: sc stop "XboxNetApiSvc" & sc config "XboxNetApiSvc" start=disabled call:
revertCode: sc config "XboxNetApiSvc" start=demand function: DisableService
parameters:
serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC
recommend: strict recommend: strict
docs: docs:
- https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service - https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
- https://www.schneier.com/blog/archives/2009/12/the_security_im.html - https://www.schneier.com/blog/archives/2009/12/the_security_im.html
code: sc stop "VSS" & sc config "VSS" start=disabled call:
revertCode: sc config "VSS" start=demand function: DisableService
parameters:
serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- -
name: Disable NetBios for all interfaces name: Disable NetBios for all interfaces
docs: docs:
@@ -6191,53 +6352,22 @@ functions:
PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}" PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}"
{{ end }} {{ end }}
- -
name: DisablePerUserService # https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows name: DisablePerUserService
parameters: parameters:
- name: serviceName - name: serviceName
- name: defaultStartUpMode - name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual
# More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
call: call:
function: RunPowerShell - # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode
parameters: function: DisableServiceInRegistry
code: |- parameters:
$serviceQueries = @('{{ $serviceName }}', '{{ $serviceName }}_*') serviceName: '{{ $serviceName }}'
foreach ($serviceQuery in $serviceQueries) { defaultStartupMode: '{{ $defaultStartupMode }}'
$service = Get-Service -Name $serviceQuery -ErrorAction Ignore - # Per-user variant
if(!$service) { function: DisableServiceInRegistry
Write-Host "Service `"$serviceQuery`" is not found, no action is needed" parameters:
continue serviceName: '{{ $serviceName }}_*'
} defaultStartupMode: '{{ $defaultStartupMode }}'
$name = $service.Name
Stop-Service $name -ErrorAction SilentlyContinue
if($?) {
Write-Host "Stopped `"$name`""
} else {
Write-Warning "Could not stop `"$name`""
}
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name"
if(Test-Path $regKey) {
Set-ItemProperty $regKey -Name Start -Value 4 -Force
Write-Host "Disabled `"$name`""
} else {
Write-Host "Service is not registered at Windows startup, no action is needed."
}
}
revertCode: |-
$serviceQueries = @('{{ $serviceName }}', '{{ $serviceName }}_*')
foreach ($serviceQuery in $serviceQueries) {
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service `"$serviceQuery`" not found"
continue
}
$name = $service.Name
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name"
if(Test-Path $regKey) {
Set-ItemProperty $regKey -Name Start -Value 0 -Force
Write-Host "Enabled `"$name`", may require restarting your computer."
} else {
Write-Error "Registry key at `"$regKey`" does not exist"
}
}
- -
name: RunInlineCode name: RunInlineCode
parameters: parameters:
@@ -6374,56 +6504,98 @@ functions:
name: DisableServiceInRegistry name: DisableServiceInRegistry
parameters: parameters:
- name: serviceName - name: serviceName
- name: defaultStartUpMode - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
call: call:
function: RunPowerShell function: RunPowerShell
parameters: parameters:
code: |- # We do registry way as sc config won't not work code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work
$serviceName = '{{ $serviceName }}' $serviceQuery = '{{ $serviceName }}'
$service = Get-Service -Name $serviceName -ErrorAction Ignore # -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) { if(!$service) {
Write-Host "Service `"$serviceName`" is not found, no action is needed" Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it."
exit 0 Exit 0
} }
$name = $service.Name $serviceName = $service.Name
Stop-Service $name -Force -ErrorAction SilentlyContinue Write-Host "Disabling service: `"$serviceName`"."
if($?) { # -- 2. Stop if running
Write-Host "Stopped `"$name`"" if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
} else { Write-Host "`"$serviceName`" is running, trying to stop it."
Write-Warning "Could not stop `"$name`"" try {
} Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name" Write-Host "Stopped `"$serviceName`" successfully."
if(Test-Path $regKey) { } catch {
if( $(Get-ItemProperty -Path "$regKey").Start -eq 4) { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
Write-Host "Service `"$name`" is already disabled, no action is needed"
} else {
Set-ItemProperty $regKey -Name Start -Value 4 -Force
Write-Host "Disabled `"$name`""
} }
} else { } else {
Write-Host "Service is not registered at Windows startup, no action is needed." Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Host "`"$registryKey`" is not found in registry, cannot enable it."
Exit 0
}
# -- 4. Skip if already disabled
if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) {
Write-Host "`"$serviceName`" is already disabled from start, no further action is needed."
Exit 0
}
# -- 5. Disable service
try {
Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
} }
revertCode: |- revertCode: |-
$serviceName = '{{ $serviceName }}' $serviceQuery = '{{ $serviceName }}'
$defaultStartUpMode = '{{ $defaultStartUpMode }}' $defaultStartupMode = '{{ $defaultStartupMode }}'
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue # -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) { if(!$service) {
Write-Warning "Service `"$serviceName`" not found" Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it."
continue Exit 1
} }
$name = $service.Name $serviceName = $service.Name
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name" Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
if(Test-Path $regKey) { # -- 2. Skip if service info is not found in registry
if( $(Get-ItemProperty -Path "$regKey").Start -eq $defaultStartUpMode) { $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
Write-Host "Service $serviceName already enabled" if(!(Test-Path $registryKey)) {
} else { Write-Warning "`"$registryKey`" is not found in registry, cannot enable it."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" -Name Start -Value $defaultStartUpMode Exit 1
Write-Host "Enabled service $serviceName (requires reboot)" }
# -- 3. Enable if not already enabled
$defaultStartupRegValue = `
if ($defaultStartupMode -eq 'Boot') { '0' } `
elseif($defaultStartupMode -eq 'System') { '1' } `
elseif($defaultStartupMode -eq 'Automatic') { '2' } `
elseif($defaultStartupMode -eq 'Manual') { '3' } `
else { throw "Unknown start mode: $defaultStartupMode"}
if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start."
} else {
try {
Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, trying to start it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
} }
Set-ItemProperty $regKey -Name Start -Value 0 -Force
Write-Host "Enabled `"$name`", may require restarting your computer."
} else {
Write-Error "Registry key at `"$regKey`" does not exist"
} }
- -
name: SetMpPreference name: SetMpPreference
@@ -6551,4 +6723,103 @@ functions:
Write-Error "Failed to set using $($command.Name): $_" Write-Error "Failed to set using $($command.Name): $_"
} }
exit 1 exit 1
} -
name: DisableService
parameters:
- name: serviceName
- name: defaultStartupMode # Allowed values: Automatic | Manual
call:
function: RunPowerShell
# Careful with Set-Service cmdlet:
# 1. It exits with positive code even if service is disabled
# 2. It had breaking API change for `-StartupMode` parameter:
# Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual
# PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled
# So "Disabled", "Automatic" and "Manual" are only consistent ones.
# Read more:
# https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.1
parameters:
code: |-
$serviceName = '{{ $serviceName }}'
Write-Host "Disabling service: `"$serviceName`"."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service `"$serviceName`" could not be not found, no need to disable it."
Exit 0
}
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, stopping it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if already disabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq 'Disabled') {
Write-Host "$serviceName is already disabled, no further action is needed"
}
# -- 4. Disable service
try {
Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceName = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service `"$serviceName`" could not be not found, cannot enable it."
Exit 1
}
# -- 2. Enable or skip if already enabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq "$defaultStartupMode") {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed."
} else {
try {
Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, starting it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}