DEVELOPER.adoc

Learning material used

1. Windows Internals, Part 1, 7th Edition

   • Windows Internals, Part 1, 7th Edition (unofficial) Tools

2. Windows Internals, Part 2, 7th Edition

   • This can be viewed for free from the Z-Library.

3. Windows Driver Documentation

4. TheRealMJP’s blog posts on how GPU synchronization and preemption work

5. Matt B’s blog post on Application Compatibility Cache

6. Microsoft blog post explaining how to use "Microsoft Endpoint Manager"; relevant for DoD STIG compliance.

7. An official Microsoft video explaning the history and the benefits of their Memory Compression, how the "Standby List" (page cache) turns hard page faults into soft page faults.

8. Whatever else is below here; it’ll come up when relevant.

Developer notes

• Required software:

  1. Windows ADK

  2. Process Monitor

• SetReg -Path 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EXAMPLE' -Key 'Start' -Value '4' -Type 'Dword' is preferred over using sc.exe config EXAMPLE start=disabled since Windows rejects this request depending on the service.

• bcdedit.exe will fail if the user screwed up their Boot Entries and fixed it later on; the workaround is to explicitly specify the ID.

  • Instead of: bcdedit.exe /deletevalue x2apicpolicy, the workaround is to use bcdedit.exe /deletevalue "{default}" x2apicpolicy

• setx.exe is much faster than [Environment]::SetEnvironmentVariable; setx.exe however cannot remove environment variables.

• Non-volatile registry keys usually do not self-regenerate themselves if their key does not exist.

  • If the purpose is to revert back to defaults, manually set the default value instead.

• The registry changes Group Policy edits do can be traced with Sysinternals Process Monitor.

  • Filter to the process containing gpedit.msc:
    

  • Filter to registry changes only:
    

    • Translate the traced registry edits to their non-group policy places, and there’s your registry key edit.

      • Other processes of interest:
        SystemPropertiesPerformance.exe, SystemSettings.exe, DllHost.exe
SecurityHealthService.exe

💡	Example gpedit.msc registry translation: HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{2F5A9005-4CB6-4314-B846-8C3EB66C9C24}Machine\Software\Policies\Microsoft\Windows → HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent

• Drivers currently loaded by Windows can be seen with System Informer via:

  1. The "System" process → Properties (right-click or press Enter with "System" selected) → Modules

• List all from "Turn Windows features on or off" and their status:

  1. (Get-WindowsOptionalFeature -Online -FeatureName '*') | Format-Table -Autosize

     • List all from Settings › Apps › Optional features/"Add an optional feature":

  2. (Get-WindowsCapability -Online -Name '*') | Format-Table -Autosize

• winget install command line switches/options.

  • The same but for winget uninstall.

• -s winget prevents Error 0x8a150044 if the Windows Store is not currently reachable.

Exploit mitigations notes

• Drivers can enforce their own MitigationFlags; Exploit protection’s "System settings" and "Program settings" are ignored.

• WSL (Windows Subsystem for Linux) requires CFG (Control Flow Guard) to run. W11Boost currently avoids enabling the other mitigations that might be required later, see the blog post on it.

  • https://msrc.microsoft.com/blog/2019/09/attacking-the-vm-worker-process/#hardening-vmwp

• Disabling DEP works for VAC-secured games (that are Source mods of other Source games), but denies playing CS:GO or TF2 for an hour or less straight; causes VAC errors.

  • VAC is loaded by steam.exe if Steam is ran as Administrator; otherwise it’s steamservice.exe.

What is avoided

Downsides to GPO compared to direct registry edits

1. Importing other GPO files can override the prior GPOs, which was the case for applying DoD STIGs after installing W11Boost.

2. Slows down boot-times drastically.

3. The user cannot easily change GPOs, they would have to use a third-party program to remove or change them individually.

4. Error reporting is poor, making it harder to debug W11Boost’s issues.

   • Microsoft’s tools to test out GPOs are purpose built for Active Directory, which cannot be used by W11Boost, as it wouldn’t make sense to have a separate PC running Windows Server to host an Active Directory.

5. Overriden user preferences, such as a few settings you could use in Winaero Tweaker.

---

1. Disabling Virtualization Based Security (VBS) on UEFI Lock enabled PCs can boot-loop desktop PCs, but work as intended on laptops. Therefore, $reduce_mitigations = 1 will only work for the majority of PCs that have Credential Guard (CG) and VBS' UEFI lock disabled.

2. Per user configuration.

   • W11Boost is for your PCs only, not for those owned by your company.

   • Multi-seat use cases are insecure unless it’s a separate virtual machine (VM) for each user. W11Boost is only in line with the VM variant of multi-seating, and will never support Windows' native multi-seat.

3. Disabling CPU idle states entirely, whether through a Windows power plan or other methods.

   • Causes a 12700k CPU to go from 190W total system draw on idle to 300W for no noticeable FPS stability benefit.

4. Custom power plans, as system behavior can be altered in ways that minimally benefit say video games, but increase power usage drastically or have other unforeseen consequences. An example is "Bitsum Highest Performance" disabling CPU P-states entirely.