Version 7.0.0.1

Added two new ASR rules to ConfigureDefender.

Some corrections in the help files and H_C manual.

Version 7.0.0.0

All executables are signed with a new digital certificate.

Added conhost.exe to the FirewallHardening BlockList.

Added the second setting to <Block AppInstaller>. It allows only those APPX and MSIX packages that are signed by Microsoft Store.

Minor GUI changes in ConfigureDefender (mouse wheel scrolling, buttons design).

Adjusted code to work with Windows Hybrid Hardening.

Version 6.1.1.1 (no functional changes from the latest beta)

1. Added support for Windows 11 ver. 22H2

2. Added new setting profiles:

Windows_11_SAC_ON_Recommended_Settings.hdc

Windows_11_SAC_ON_NoSRP.hdc

3. Added certoc.exe, cipher.exe, pnputil.exe, and scp.exe to the list of blocked sponsors.

4. Added the ONE extension (OneNote document).

5. Removed the OFF2 option in the DocumentsAntiExploit tool. Now, ON2 settings also include all ON1 settings.

ON2 settings require resetting (ON2 --> OFF --> ON2) after the current update.

6. Updated H_C manual (info about possible issues related to the activated AppLocker).

7. Corrected some minor bugs.

8. Added a new digital certificate.

Version 6.0.1.1

1. Adjusted the default extensions in <Designated File Types> to those used in Simple Windows Hardening. So, some popular

Excel extensions are not blocked in the default setup: XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.

2. Updated the manual and some help files.

3. Added a new option in the DocumentsAntiExploit tool to make the configuration of Adobe Acrobat more granular.

4. Added the button <MORE ...><Remove Obsolete Restrictions>.

5. Added a new digital certificate.

Version 6.0.1.0 beta

1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy

file formats:

New default extensions

ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.

New Paranoid extensions

ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04,

R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.

Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them

(and not Windows built-in File Explorer).

2. Added new versions of DocumentsAntiExploit, RunBySmartscreen and FirewallHardening tools.

3. Improved policies for Adobe Acrobat Reader XI/DC.

4. Corrected some minor bugs.

5. Updated H_C manual and some help files.

Version 6.0.0.1 beta

1. Added <Block AppInstaller> option.

2. New FirewallHardening version 2.0.1.1.

- added the options to load/save the external BlockLists.

- added new LOLBins: bitsadmin.exe (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr,

dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe,

xwizard.

Version 6.0.0.0 (stable)

1. Introduced two color-changing buttons. When the restrictions are OFF, the buttons <Switch OFF/ON SRP> and <Switch OFF/ON

Restrictions> change the background color from green to blue.

2. Fixed some minor bugs.

3. Added finger.exe to blocked sponsors and also to the H_C Enhanced profiles.

4. Added some EXE files to FirewallHardening LOLBin Blocklist: csc, cvtres, CasPol, finger, ilasm, jsc,

Microsoft.Workflow.Compiler, mscorsvw, ngen, ngentask, vbc.

5. Added SLK and ELF file extensions to the default protected extensions in SRP and RunBySmartscreen.

6. Added a switch -p to run H_C and SwitchDefaultDeny with SRP enforcement to block all users (including Administrators).

It can be used especially on the older Windows versions to improve post-exploitation protection on the default Admin account.

This switch should be used only by very experienced users.

7. New version of ConfigureDefender:

- Added some useful information to the Help and manual.

- Added "Send All" setting to Automatic Sample Submission.

- Updated ASR rules (1 new rule added).

- Added the Warn mode to ASR rules.

- Added INTERACTIVE Protection Level which uses ASR rules set to Warn.

- Added the <Info> button next to the Protection Levels buttons. It displays information about which settings are enabled in

DEFAULT, HIGH, INTERACTIVE, and MAX Protection Levels.

- Redesigned slightly the layout of the Exploit Guard section.

- Added support for event Id=1120.

- Added CFA setting BDMO = Block Disk Modifications Only - folders will not be protected, but some important disk sectors

will be still protected (Id = 1127).

8. Added support for Windows 11.

Version 5.1.1.2 (stable)

This version is the same as ver. 5.1.1.1, except that DocumentsAntiExploit tool executable was replaced by its

standalone version. This can matter if after the uninstallation of H_C the user will want to use DocumentsAntiExploit tool

(without Hard_Configurator) to harden MS Office or Adobe Acrobat Reader XI/DC.

Version 5.1.1.1 (stable)

The main differences from the last stable ver. 5.0.0.0 are included in beta versions : 5.0.0.1, 5.0.1.1, and 5.1.1.1.

There are some minor changes as compared to the latest beta ver. 5.1.1.1:

1. Executables are signed by the new code signing certificate valid until June 2021.

2. Added the tip text feature for some important buttons in ConfigureDefender, DocumentsAntiExploit and FirewallHardening.

3. Updated versions of ConfigureDefender ver. 3.0.0.1, DocumentsAntiExploit ver. 1.0.1.1, FirewallHardening ver. 2.0.0.0,

and RunBySmartScreen 3.1.0.1.

Version beta 5.1.1.1

1. Fixed the GUI bug related to whitelisting by hash.

Version beta 5.0.1.1

1. Added the integrity module which can check and solve problems when SRP is tampered by another application.

2. Added a quick method to refresh SRP rules.

3. Added the new setting profile Windows_*_Basic_Recommended_Settings.hdc and included it in Hard_Configurator manual.

4. Removed the "All files" SRP Enforcement setting due to possible incompatibilities with 3rd party security solutions.

Furthermore, this setting is not used in Hard_Configurator predefined profiles and it is not well integrated with

Recommended Settings on Windows 8 .

5. Improved the SRP rules related to <Update Mode> and <Harden Archivers> (added support for Explzh archiver).

6. Corrected some minor bugs.

Version beta 5.0.0.1

1. The new version of ConfigureDefender 2.1.1.1

Corrected a bug related to the error when "Defender Security Log" is empty.

Removed event Id=1117 from Defender Security Log.

Extended the maximal number of entries in the Log to 300.

Extended the "Cloud Time Check Limit" in HIGH Protection Level from 10s to 20s.

2. The new version of FirewallHardening 1.0.1.1

Added curl.exe to FirewallHardening LolBins, and curl.exe, certutil.exe to FirewallHardening 'Recommended H_C' rules.

Removed the bug related to displaying the last blocked event.

3. The new version of DocumentsAntiExploit tool - improved/corrected the Outlook macro protection.

4. The new version of SwitchDefaultDeny 2.0.0.1 - adjusted to work with <Update Mode>.

5. Changed the name of the H_C option <Run As SmartScreen> to <Forced SmartScreen>.

6. Changed the name "Run As SmartScreen" (of the entry in the Explorer context menu) to "Install By SmartScreen".

7. Added prevention against SmartScreen DLL hijacking (included in "Install By SmartScreen" and "Run By SmartScreen").

8. Added 3 new options <Update Mode>, <Harden Archivers>, and <Harden Email Clients>. The <Update Mode> allows the execution

of EXE (TMP) and MSI files in ProgramData and AppData folders, which allows the applications to auto-update without losing

much of the H_C protection. These folders are hidden for the users in the Explorer default settings. The <Harden

Archivers> and <Harden Email Clients> support the <Update Mode> to prevent bypassing the Hard_Configurator Recommended

Settings. The settings <Update Mode> = ON, <Harden Archivers> = ON, and <Harden Email Clients> = ON are added to the H_C

Recommended Settings on Windows 8 .

The <Update Mode> = ON setting still blocks the EXE (TMP) and MSI files in other folders from UserSpace like: Desktop,

Documents, Downloads, Music, Movies, Pictures, non-system partitions, and USB drives. The user has to use "Install By

SmartScreen" entry to run standalone application installers.

9. Added some new H_C setting profiles. For example, the Windows_8_Strict_Recommended_Settings and

Windows_10_Strict_Recommended_Settings apply for Recommended Settings used in H_C 5.0.0.0 and prior versions, which did

not use the <Update Mode> feature.

10. Whitelisted the folder ImplicitAppShortcuts (only for shortcuts).

11. Whitelisted the shortcuts in the user Desktop, when the Desktop location is redirected. This can happen when the user

chooses the Desktop backup in OneDrive or manually changes the path to the Desktop. After changing the path to the user

Desktop, it is required to sign off from the account or refresh the Explorer. After that, the shortcuts on the Desktop

in the new location will be automatically whitelisted.

12. Added to the H_C manual many details related to Recommended Settings and Avast profiles, which can use now the <Update

Mode> feature.

13. Added the option to whitelist globally the MSI files (<Whitelist By Path> "Allow MSI"). In version 5.0.0.1, this

setting is used when the user applies the profile "Windows_10_MT_Windows_Security_hardening.hdc" - both EXE (TMP) and

MSI files are allowed. In the old setting profile "Windows_10_MT_Windows_Security_hardening.hdc", only EXE (TMP) files

are globally allowed.

Version 5.0.0.0

1. Added a new version of ConfigureDefender with an additional ASR rule: "Block persistence through WMI event subscription".

2. Minor bugs corrected.

Version 4.1.1.1

1. Added "Paranoid Extensions" (259 potentially dangerous file type extensions).

2. Added FirewallHardening tool, which blocks by Windows Firewall many LOLBins and allows the user to block any application.

3. Removed explorer.exe paths from FirewallHardening LOLBins on Windows 8 and 8.1., for compatibility with SmartScreen.

4. Two buttons <Recommended SRP> and <Recommended Restrictions> are replaced by one green button <Recommended Settings>.

5. Reorganization of buttons: the violet buttons <Firewall Hardening> and <ConfigureDefender> are now located in the upper

part of the main window. The button <No Removable Disks Exec.> was replaced by the new option button <Validate Admin Code

Signatures> (see point 7).

6. If Default Deny Protection is turned OFF by the 'Switch Default Deny' tool, then the "Run By SmartScreen" option is automatically

enabled in the Explorer context menu. It can be used for installing safely the applications both on Administrator and Standard

User type of accounts.

7. Added the option <Validate Admin Code Signatures> which changes the UAC settings to enforce cryptographic signatures on

any any interactive application that requests elevation of privilege. This setting will prevent the user from running the applications

which require Administrative rights, but are not digitally signed.

8. Added the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code

Signatures>.

9. The option <Restore Windows Defaults> does restore also Windows Defender defaults and removes FirewallHardening Outbound

block rules.

10. All Hard-Configurator native executables are digitally signed by SHA256 certificate (Certum Code Signing CA SHA2).

Version 4.0.1.0

1. Added a new version of RunBySmartScreen (minor changes)

2. Added a new version of ConfigureDefender.

Version 2.0.0.1

a) Added icon.

b) Added the button <Defender Security Log>, which allows seeing last 200 Windows Defender events.

c) Added the splash alert when applying time-consuming features.

d) Renamed option "Reporting Level (MAPS membership level)" to "Cloud-delivered Protection".

e) Extended the abilities of <REFRESH> button.

f) Updated the changes made by Microsoft to allow file & folder exclusions for some additional ASR rules.

g) Corrected the issue with closing the application.

h) Extended the help.

3. Added a new version of 7-ZIP.

4. Added more blocked Sponsors (total number 173).

5. Added more blocked Sponsors to Enhanced profiles.

6. Added new icons for H_C executables.

Version 4.0.0.2

1. Corrected the ability to whitelist OneDrive on SUA.

2. Changed the way of using <Refresh Explorer> option to avoid problems on SUA.

3. Added the warning before Hard_Configurator unstallation, about using DocumentAntiExploit tool.

4. Added the DocumentsAntiExploit tool to the SwitchDefaultDeny application, for managing different MS Office and Adobe

Acrobat Reader

XI/DC settings on different user accounts.

5. In the 4.0.0.2 version the <Documents Anti-Exploit> option in Hard_Configurator can only change system-wide settings.

Non-system-wide settings are now available only via DocumentsAntiExploit tool.

6. Added IQY and SETTINGCONTENT-MS file extensions to the default list of Designated File Types and to the hardcoded

dangerous extensions in RunBySmartScreen.

7. Improved Shortcut protection.

8. Improved the protection of MS Office and Adobe Acrobat Reader XI/DC applications, against the weaponized documents.

9. Improved 'Run By SmartScreen' with over 250 blocked file extensions (SRP, Outlook Web Access, Gmail, and Adobe Acrobat

Reader attachments blacklists). The extensions BAT, DLL, CMD, JSE, OCX, and VBE are now blocked with notifications, instead

of being checked by SmartScreen. Popular but vulnerable files (RTF, DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF)

related to MS Office and Adobe Reader, are opened with the warning instructions.

10. Changed the names of some buttons in the TOOLS menu:

<View Blocked Events> --> <Blocked Events / Security Logs>

<Run Autoruns: Scripts/UserSpace> --> <Whitelist Autoruns / View Scripts>

11. Changed 'Allow EXE' option in the <Whitelist by Path> to 'Allow EXE and TMP'. So, both EXE files and TMP files are

whitelisted - this option is prepared to work with Avast Hardened Mode Aggressive as default-deny.

12. Corrected the bug with <Update> button (did not work for the 64-bit version).

13. Updated Hard_Configurator manual.

Version 4.0.0.0

0. Deinstallation of Hard_Configurator is available only from <Tools> <Uninstall Hard_Configurator>.

1. Added <Documents Ant-Exploit button> to block/unblock active content in MS Office and Adobe Acrobat Reader XI / DC.

2. Added <ConfigureDefender> button to run ConfigureDefender utility (installed with this package).

3. Added <Allow EXE files> button in 'Whitelist By Path' window. This feature allows all EXE files except ticked in <Block

Sponsors>.

4. Added the Avast_Hardened_Mode_Aggressive profile to work with Avast, set to Hardened Aggressive mode.

5. Changed the name of the button <Run SRP/Scripts EventLogView> to <View Blocked Events>.

6. Extended the logged events in <View Blocked Events> to include Exploit Guard ASR, Controlled Folder Access, Network

Protection, and Defender blocked/audited events.

7. Added some new paths to blacklist writable Windows subfolders.

8. Corrected the whitelisting of OneDrive executables.

9. Added the new versions of Sysinternals Autoruns, NirSoft FullEventView, and 7-ZIP.

10. Recommended settings in ver. 4.0.0.0 are based on <Default Security Level> = 'Disallowed', as compared to <Default

Security Level> = 'Basic User' used in the previous versions. The difference for the user will be visible only with the

extended SRP protection for BAT and CMD files.

11. Added <Update> button to check/install the new Hard_Configurator versions.

Version 3.1.0.0

1. Blocked external utilities (Nirsoft FullEventLogView, Sysinternals Autoruns, 7-Zip) as standard user, in the folder

'%SystemRoot%\Hard_Configurator'.

2. Hard_Configurator does not use NirSoft nircmdc.exe .

3. Added <Disable Cached Logons> and <UAC CTRL_ALT_DEL> buttons to harden credentials protection outside the home network.

4. Added backup management for Profile Base (whitelist profiles and setting profiles can be 'exported to'/'imported from' one

compressed file).

5. Removed the option <No Removable Disks Exec.>.

6. Corrected the bug related to Maximum Shadow Copy Storage space.

7. Corrected the <Disable SMB> displaying '?' when SMB 1.0 is not installed (as in Windows 10 Fall Creators Update).

8. Added 'Restart Computer' possibility after <APPLY CHANGES>, when the changed settings are related to drivers (SMB

protocol).

9. Updated Hard_Configurator manual (with some corrections).

Version 3.0.1.0

1. Improved method of making System Restore Point (automatic for all supported Windows versions).

2. Redefined buttons:

A) <Turn OFF All SRP> and <Turn OFF All Restrictions> have changed labels to <Switch OFF/ON SRP> and <Switch OFF/ON

Restrictions>.

They also have additional functionality.

B) <Load Defaults> and <Save Defaults> have changed labels to <Load Profile> and <Save Profile>. They allow managing user

made profiles

(except 'DesignatedFile Types' and White Lists).

3. Added <Save Load> button on the right side of Whitelist buttons to manage Whitelist user profiles.

4. Added default Whitelist entry for the folder 'C:\ProgramData\Microsoft\Windows Defender'.

5. Added two paths to protect in the Windows folder: 'C:\WINDOWS\debug\WIA' and 'C:\WINDOWS\System32\Tasks_Migrated'

6. Added <APPLY CHANGES> button.

7. Added <Block Sponsors> button, that can disable access to 57 Windows executables (via SRP Disallowed rules).

The options for blocking powershell.exe, powershell_ise.exe, and cmd.exe were transferred to <Block Sponsors>.

8. Added <Disable SMB button>.

9. Added: <ADD> / <REMOVE> OneDrive buttons in the <Whitelist by path> window.

10. Added some predefined setting profiles (ALL_OFF, ALL_ON, ALL_ON_MAX, Recommended_nonSRP, TestingSmartScreen,

Recommended_withDefaultAllowSRP_and_BlockSponsors).

Version 3.0.0.1

1. Improved autoruns checking.

2. Minor bugs corrected.

Version 3.0.0.0

1. <Run As SmartScreen> was updated to work with Windows 10 Creators Update.

2. Some names of the buttons were adjusted to the names used in 'How do Software Restriction Policies work' articles.

3. Added new options: <Disable 16-bits>, <Shell Extension Security>, <Disable Command Prompt>, <Disable Elevation on SUA>,

<Block PowerShell Sponsors>, <MSI Elevation>.

4. Hard_Configurator is distributed as an Inno Setup installation file.

5. For Windows Vista and Windows 7, automatic System Restore Point creation was changed to manual.

6. Improved 'Load Defaults' option.

7. Added 'Documentation' option to view Hard_Configurator manual and 'How do Software Restriction Policies work' articles,

from within the program.

8. Updated manual and "How do Software Restriction Policies work".

Version 2.1.0.0 Polish version

1. Hard_Configurator is distributed as an Inno Setup installation file.

2. For Windows Vista version, automatic System Restore Point creation was changed to manual.

3. Improved 'Load Defaults' option.

4. Updated Hard_Configurator manual.

5. Added 'Documentation' option to view Hard_Configurator manual, from within the program.

6. The Polish version was released (only help files).

Version 2.0.1.0

1. New options in <SRP Extensions> window: Add/Remove script extensions, Save/Restore extensions, Restore default extensions.

2. New <Tools> button with troubleshooting options:

<Run SRP/Scripts EventLogView> - filters the output of NirSoft tool: FullEventLogView, to retrieve information about

blocked events.

<Run Autoruns: Scripts/UserSpace> - filters out all numerous autoruns from the System Space leaving only a few entries

from the User Space. They are automatically whitelisted.

<Turn ON Advanced SRP logging> - activates Verbose trace logging of SRP, and allows to view the log.

<Restore Windows Defaults> - replaces the registry changes made by Hard_Configurator with Windows default values.

3. <Block Remote Assistance> option has been renamed to <Block Remote Access> and entended to include Remote Shell and Remote

Registry.

4. On the first run, Hard_Configurator makes a System Restore point, performs autoruns checking and whitelisting User Space

autoruns.

5. Updated manual with extended information about how SRP can control file execution/opening, using API functions:

ShellExecute, CreateProcess, LoadLibrary, and about unusual shortcuts handling.

Version 2.0.0.0:

1. SRP file/folder whitelisting by path (also with wildcards).

2. Protecting (SRP deny execution) writable subfolders of 'C:\Windows' folder.

3. "Run By SmartScreen" option in Explorer context menu (run files without elevation, useful when SRP deactivated)

4. Updated manual.

Some minor bugs were corrected.