|
|
[注意]深山红叶启动光盘(WinPE&PE Builder)讨论专帖(违令者必删)
[这个贴子最后由emca在 2005/01/09 02:16pm 第 1 次编辑]
以下是上述“卓尔系统贴心锁”的脚本代码,请大家出主意帮助完善。其中所需的一个文件不好上传(屡次失败),请大家要时搜索下载。
注:最初的想法开始于一个网上高手的一些脚本片段(具体位置记不清楚了),然后我对它进行了大量的发挥、补充修改。由于没有专门花时间做它,因此都是发现一个问题或者想到一处就临时修改一下,脚本中许多地方需要优化整理。
总体想法:
干净的系统(或者杀毒后的系统)→保护固化→日常使用
@echo off
title 欢迎使用“深山红叶系统贴心锁”
set FS=NTFS
cacls %SystemRoot% | find "SYSTEM" > nul 2>nul 2>nul
if "%ERRORLEVEL%"=="0" goto :start
cls
set FS=FAT
color 4f
echo.
echo 注意:您的系统分区没有采用 NTFS 文件系统,因此不能对系统目录进行保护!
echo.
echo 任意键继续…………
rem 这里可添加是否转换系统分区为 NTFS 的选项。内容没有完成。
rem convert /%SystemDrive% /F:NTFS /V
pause>nul
:start
cls
color 2f
SETLOCAL
rem 活动代码页设为中文
chcp 936>nul 2>nul
echo.
echo ************************************************************
echo.
echo 欢迎使用“深山红叶系统贴心锁” V2.5
echo.
echo ——小巧强大的系统固化保护设置程序
echo.
CACLS %SystemRoot%|find "SYSTEM:(OI)(CI)R" > nul 2>nul 2>nul
if "%ERRORLEVEL%"=="0" echo 当前系统分区文件系统:%FS% 当前系统保护状态: 锁定!
if "%ERRORLEVEL%"=="1" echo 当前系统分区文件系统:%FS% 当前系统保护状态: 未锁定!
echo ************************************************************
:chkOS
CACLS %SystemRoot% /E /C /P everyone:R>nul 2>nul
CACLS %SystemRoot%\system32 /E /C /P everyone:R>nul 2>nul
echo.
ver|find "2000" > nul 2>nul 2>nul
if "%ERRORLEVEL%"=="0" goto :2000
ver|find "Microsoft Windows [版本 5" > nul 2>nul 2>nul
if "%ERRORLEVEL%"=="0" goto :2003
ver|find "XP" > nul 2>nul 2>nul
if "%ERRORLEVEL%"=="0" goto :XP
echo.
echo 对不起,本程序仅支持 Windows 2000/XP/2003。
goto quit
rem 判断操作系统并分配策略操作命令
:2000
set UpdatePolicy=secedit /refreshpolicy machine_policy>nul 2>nul
goto Selection
:XP
set UpdatePolicy=GPUpdate /Force>nul 2>nul
goto Selection
:2003
set UpdatePolicy=GPUpdate /Force>nul 2>nul
goto Selection
:Selection
echo.
echo 请选项操作项目(输入项目前面的数字)——
echo.
echo [1] 锁定危险入口和系统目录,启用木马、病毒保护
echo.
echo [2] 解除危险入口和系统目录的锁定状态(恢复默认设置)
echo.
echo [3] 功能说明
echo.
echo [4] 在线强力杀毒(强烈建议先杀毒后保护!)
echo.
echo [5] 退出
echo.
set /p UserSelection= 输入您的选择(1、2、3、4):
if "%UserSelection%"=="1" goto install
if "%UserSelection%"=="2" goto uninstall
if "%UserSelection%"=="3" goto information
if "%UserSelection%"=="4" goto web
if "%UserSelection%"=="5" goto complete
rem 输入其他字符
cls
goto Selection
:err
cls
echo.
echo 您已经进行了系统固化保护!不必运行第二次!
echo 您现在只允许使用解除保护的功能!
echo.
echo 任意键返回……
PAUSE>nul 2>nul
goto Start
:information
cls
echo.
echo.
echo 欢迎使用“深山红叶系统贴心锁”!
echo ==============================================================
echo 功能:锁定系统各种危险自动加载入口,防范木马病毒的植入和加载。
echo.
echo 1、锁定注册表 Run、RunOnce、RunService、Services 等为只读,
echo 防止木马、病毒通过自启动项目和添加为服务的方式启动;
echo 2、锁定 txt com exe inf ini bat cmd pif hlp chm 等文件关联,
echo 防止木马、病毒通过修改文件关联启动;
echo 3、自动修正系统外壳和用户初始化环境; 启用系统文件保护;
echo 4、设置 App path 为只读,防止应用程序的路径缓存被仿冒;
echo 5、锁定用户登录和注销脚本,防范恶意程序在登录或注销时加载;
echo 6、锁定“启动”组和命令行自动运行参数,防止重定向或被修改;
echo 7、防范浏览器首页、起始页、搜索页等参数被修改……
echo 8、对 2480 余种浏览器插件和恶意网址进行免疫(不断增加中)……
echo.
echo 注意事项:
echo ①安装某些应用程序如涉及上述设置,请在安装前运行本程序,
echo 选择选项 2 以恢复默认设置;安装完毕,重新运行本程序,
echo 选择选项 1 以重新启用反特洛伊木马的系统固化保护设置!
echo ②建议在新安装的干净系统中使用,只能预防而无杀毒功能!
echo ③不同用户登录后请分别运行本程序!非管理员可能有部分限制。
echo ④使用本程序为您自愿,我们不对使用的任何后果负任何责任!
echo ==============================================================
echo.
echo 按任意键返回选择 ……
pause>nul 2>nul
cls
goto start
:install
if exist %TEMP%\kill.log goto inst2
cls
echo.
echo 【!!注意!!】
echo ============
echo.
echo !!! 只有“干净”的系统才有保护的价值 !!!
echo.
if %FS%==FAT echo !!! 当前系统分区不是 NTFS 文件系统,不持目录保护 !!!
echo.
echo 强烈建议在进行保护之前先进行病毒扫描!
echo 连接过程中如果防火墙有提示,请选择允许!
echo.
echo 需要立即开始在线杀毒吗?确定后进入“免费在线杀毒”界面……
echo.
set /p kv= 输入您的选择(Y=开始在线杀毒 N=开始保护系统):
if "%kv%"=="y" goto web
if "%kv%"=="n" goto inst2
if "%kv%"=="Y" goto web
if "%kv%"=="N" goto inst2
goto start
:inst2
if exist %TEMP%\sysfix.log goto err
set OP=/grant everyone /read /p:no_dont_copy
set OF=/E /C /P "Power Users":R
set US=/E /C /P USERS:R
set OE=/E /C /P everyone:R
set OY=/E /C /P Administrators:R
set OS=/E /C /P System:R
set CU=/E /C /P %USERNAME%:R
set EE=/E /C /P %USERNAME%:F
set CC=/E /C /P "Power Users":N
set RE=00000001
set RD=00000000
set VB=DELETE
set TP=启用
echo.>%TEMP%\sysfix.log
goto Doit
:uninstall
set OP=/revoke everyone /read /p:yes
set OF=/E /C /P "Power Users":F
set OE=/E /C /P everyone:R
set OY=/E /C /P Administrators:F
set OS=/E /C /P System:F
set CU=/E /C /P %USERNAME%:F
set US=/E /C /P USERS:R
set OF=/E /C /P System:F
set EE=/E /C /P %USERNAME%:F
set CC=/E /C /P "Power Users":N
set RE=00000000
set RD=00000001
set VB=ADD
set TP=取消
if exist %TEMP%\sysfix.log del %TEMP%\sysfix.log /q>nul 2>nul
goto Doit
:Doit
cls
echo.
echo 正在执行操作,请稍候...
echo.
echo --===开始设置注册表关键键值权限===--
echo.
rem HKLM
setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /registry %OP%>nul 2>nul
setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /registry %OP%>nul 2>nul
setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /registry %OP%>nul 2>nul
setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEX /registry %OP%>nul 2>nul
setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX /registry %OP%>nul 2>nul
setacl machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEx /registry %OP%>nul 2>nul
echo 本地系统自动运行项目保护%TP%完毕!
rem 处理VBS等脚本支持环境防范木马
rem 恶意执行程序组件 WScript.Shell
rem 木马生成组件 FileSystemObject
rem 木马下载组件 XMLHTTP
rem 木马上传组件 ADOB.Stream
rem 木马执行组件 Shell.Application
rem 如果为启用保护则跳转,否则开始还原注册表
if %VB%==DELETE goto VB
:RE
rem 生成上述环境的恢复注册表内容
echo REGEDIT4>%TEMP%\CLSID.REG
echo.>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}]>>%TEMP%\CLSID.REG
echo @="ADODB.Stream">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32]>>%TEMP%\CLSID.REG
echo @="%SystemDrive%\\Program Files\\Common Files\\ystem\\ado\\msado15.dll">>%TEMP%\CLSID.REG
echo "ThreadingModel"="Apartment">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID]>>%TEMP%\CLSID.REG
echo @="ADODB.Stream.2.8">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\VersionIndependentProgID]>>%TEMP%\CLSID.REG
echo @="ADODB.Stream">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}]>>%TEMP%\CLSID.REG
echo @="FileSystem Object">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32]>>%TEMP%\CLSID.REG
echo @="%SystemDrive%\\WINDOWS\ystem32\crrun.dll">>%TEMP%\CLSID.REG
echo "ThreadingModel"="Both">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID]>>%TEMP%\CLSID.REG
echo @="Scripting.FileSystemObject">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib]>>%TEMP%\CLSID.REG
echo @="{420B2830-E718-11CF-893D-00A0C9054228}">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version]>>%TEMP%\CLSID.REG
echo @="1.0">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}]>>%TEMP%\CLSID.REG
echo @="Windows Script Host Shell Object">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\Implemented Categories]>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32]>>%TEMP%\CLSID.REG
echo @="%SystemDrive%\\WINDOWS\ystem32\\wshom.ocx">>%TEMP%\CLSID.REG
echo "ThreadingModel"="Apartment">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID]>>%TEMP%\CLSID.REG
echo @="WScript.Shell.1">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\Programmable]>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TypeLib]>>%TEMP%\CLSID.REG
echo @="{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\VersionIndependentProgID]>>%TEMP%\CLSID.REG
echo @="WScript.Shell">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}]>>%TEMP%\CLSID.REG
echo @="Windows Script Host Shell Object">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\Implemented Categories]>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\InProcServer32]>>%TEMP%\CLSID.REG
echo @="%SystemDrive%\\WINDOWS\ystem32\\wshom.ocx">>%TEMP%\CLSID.REG
echo "ThreadingModel"="Apartment">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\ProgID]>>%TEMP%\CLSID.REG
echo @="WScript.Shell.1">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\Programmable]>>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\TypeLib]>>%TEMP%\CLSID.REG
echo @="{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}">>%TEMP%\CLSID.REG
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\VersionIndependentProgID]>>%TEMP%\CLSID.REG
echo @="WScript.Shell">>%TEMP%\CLSID.REG
echo.>>%TEMP%\CLSID.REG
rem 恢复注册表
regedit /s %TEMP%\CLSID.REG
goto NEXT
:VB
REG %VB% HKLM\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} /f>nul 2>nul
REG %VB% HKLM\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} /f>nul 2>nul
REG %VB% HKLM\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} /f>nul 2>nul
REG %VB% HKLM\SOFTWARE\Classes\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} /f>nul 2>nul
echo %TP%恶意执行程序组件、木马生成/下载/上传/执行组件保护完毕!
rem 对 2000 多种浏览器插件和恶意网站免疫
regedit /s UnActiveX.reg
echo 对 2480 余种浏览器插件和恶意网址进行免疫完成!
:NEXT
rem 以下几行设置和保护系统登录环境
rem 防范应用程序路径被仿冒:
setacl "machine\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths" /registry %OP%>nul 2>nul
echo 应用程序路径缓存保护%TP%完毕!
rem 启用系统文件保护:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d "%RD%" /f>nul 2>nul
echo 系统文件保护功能已经设置完成!
rem 防范系统外壳和用户初始化程序被仿冒、带参数嫁接:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "%SystemRoot%\system32\userinit.exe," /f>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v VmApplet /t REG_SZ /d "rundll32 shell32,Control_RunDLL "sysdm.cpl"" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "%SystemRoot%\Explorer.exe" /f>nul 2>nul
rem 以下命令不要使用,会导致不能成功登录:
rem setacl "machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /registry %OP%>nul 2>nul
echo 系统外壳及用户初始化环境保护%TP%完毕!
rem 防范恶意程序彻底隐藏文件:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CheckedValue /t REG_DWORD /d "%RE%" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ValueName /t REG_SZ /d "Hidden" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultValue /t REG_DWORD /d "00000002" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v HKeyRoot /t REG_DWORD /d "80000001" /f>nul 2>nul
echo 防范恶意程序彻底隐藏文件保护%TP%完毕!
rem 防范命令行自动运行参数被修改:
setacl "machine\SOFTWARE\Microsoft\Command Processor" /registry /revoke everyone /read /p:yes>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Command Processor" /v AutoRun /d "" /f>nul 2>nul
setacl "machine\SOFTWARE\Microsoft\Command Processor" /registry %OP%>nul 2>nul
echo 命令行自动运行参数保护%TP%完毕!
rem 防范以登录或注销脚本形式自动加载恶意程序:
setacl "machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts" /registry /revoke everyone /read /p:yes>nul 2>nul
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts" >nul 2>nul
setacl "machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts" /registry %OP%>nul 2>nul
echo 登录脚本和注销脚本保护%TP%完毕!
rem HKCU
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /registry %OP%>nul 2>nul
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /registry %OP%>nul 2>nul
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /registry %OP%>nul 2>nul
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEX /registry %OP%>nul 2>nul
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX /registry %OP%>nul 2>nul
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEx /registry %OP%>nul 2>nul
setacl CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce /registry %OP%>nul 2>nul
echo 当前用户自动运行项目保护%TP%完毕!
rem 修正和防范启动组位置重定向:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Startup /f /d "%USERPROFILE%\「开始」菜单\程序\启动">nul 2>nul
setacl "CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /registry %OP%>nul 2>nul
echo 防范启动组位置重定向保护%TP%完毕!
rem 防范通过 load 或 run 自动运行恶意程序和更改可执行文件类型:
setacl CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows /registry %OP%>nul 2>nul
echo 防范通过 load 或 run 自动运行恶意程序和更改可执行文件类型保护%TP%完毕!
rem 防止当前用户和公共用户浏览器首页等主要设置被修改:
setacl "CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /registry %OP%>nul 2>nul
echo 当前用户浏览器主要配置保护%TP%完毕!
rem 防止当前用户浏览器首页等主要设置被修改:
setacl "machine\Software\Microsoft\Internet Explorer\Main" /registry %OP%>nul 2>nul
echo 公共用户浏览器主要配置保护%TP%完毕!
rem USERS
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /registry %OP%>nul 2>nul
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /registry %OP%>nul 2>nul
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices /registry %OP%>nul 2>nul
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEX /registry %OP%>nul 2>nul
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEX /registry %OP%>nul 2>nul
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEx /registry %OP%>nul 2>nul
setacl USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce /registry %OP%>nul 2>nul
echo 默认用户自动运行项目保护%TP%完毕!
rem Services
setacl MACHINE\SYSTEM\CurrentControlSet\Services /registry %OP%>nul 2>nul
echo 系统服务项目设置保护%TP%完毕!
rem CLASSES_ROOT
rem 常见文件关联保护设置:
setacl CLASSES_ROOT\exefile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\inifile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\txtfile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\comfile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\batfile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\inffile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\piffile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\cmdfile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\hlpfile\shell\open\command /registry %OP%>nul 2>nul
setacl CLASSES_ROOT\chmfile\shell\open\command /registry %OP%>nul 2>nul
rem 防止碎片文档类型:
reg delete HKCR\ShellScrap\shell\open\command /f >nul 2>nul
reg add HKCR\ShellScrap\shell\open\command >nul 2>nul
echo 常见文件关联保护%TP%完毕(EXE TXT CMD BAT INI PIF COM INF HLP CHM SHS等)!
rem 防止恶意 DLL 与 Explorer 链接加载:
setacl CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 /registry %OP%>nul 2>nul
echo 防止恶意 DLL 与 Explorer 链接加载保护%TP%完毕!
rem 防止恶意程序通过磁盘Autorun运行
For %%B in (C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z) do if exist %%B:\Autorun.inf ren %%B:\Autorun.inf Autorun.in_ >nul 2>nul
rem 固化当前用户和公共用户启动组、本地 DNS 解析文件
if %FS%=="FAT" goto NONTFS
goto SETDIR
:NONTFS
echo.
echo 您的系统分区不是 NTFS 文件系统,将跳过系统目录保护!
goto POLICY
:SETDIR
echo.
echo.
if %VB%==ADD goto pdir
echo --===开始设置敏感文件夹权限===--
echo.
echo 【!! 注意 !!】
echo ==============
echo 下面的设置会锁定系统重要目录,如果要安装新软件等,请重新运行
echo ============================================================
echo 本程序以取消对当前系统的锁定状态!
echo ============================================================
echo.
echo 任意键继续……
pause>nul 2>nul
:pdir
echo.
echo 以下部分操作的时间可能较长,请稍候……
echo.
echo 正在%TP%“当前用户”启动组的只读权限保护……
CACLS "%USERPROFILE%\「开始」菜单\程序\启动" %OF%>nul 2>nul
CACLS "%USERPROFILE%\「开始」菜单\程序\启动" %OE%>nul 2>nul
CACLS "%USERPROFILE%\「开始」菜单\程序\启动" %UY%>nul 2>nul
CACLS "%USERPROFILE%\「开始」菜单\程序\启动" %OS%>nul 2>nul
CACLS "%USERPROFILE%\「开始」菜单\程序\启动" %CU%>nul 2>nul
CACLS "%USERPROFILE%\「开始」菜单\程序\启动" %US%>nul 2>nul
echo 正在%TP%“公共用户”启动组的只读权限保护……
CACLS "%SystemDrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" %OF%>nul 2>nul
CACLS "%SystemDrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" %OE%>nul 2>nul
CACLS "%SystemDrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" %UY%>nul 2>nul
CACLS "%SystemDrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" %OS%>nul 2>nul
CACLS "%SystemDrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" %CU%>nul 2>nul
CACLS "%SystemDrive%\Documents and Settings\All Users\「开始」菜单\程序\启动" %US%>nul 2>nul
echo 正在%TP%“HOSTS”文件的只读权限保护……
CACLS %SystemRoot%\system32\drivers\etc\hosts %OF%>nul 2>nul
CACLS %SystemRoot%\system32\drivers\etc\hosts %OE%>nul 2>nul
CACLS %SystemRoot%\system32\drivers\etc\hosts %OY%>nul 2>nul
CACLS %SystemRoot%\system32\drivers\etc\hosts %OS%>nul 2>nul
CACLS %SystemRoot%\system32\drivers\etc\hosts %CU%>nul 2>nul
CACLS %SystemRoot%\system32\drivers\etc\hosts %US%>nul 2>nul
echo 正在%TP%自动安装网络插件的拒绝权限保护……
rem 不存在3721则以废文件占位并锁定;存在则直接锁定
if exist "%USERPROFILE%\「开始」菜单\程序\上网助手\nul" del /s /q "%USERPROFILE%\「开始」菜单\程序\上网助手\*.*" >nul 2>nul
rd "%USERPROFILE%\「开始」菜单\程序\上网助手" >nul 2>nul
if exist "%SystemDrive%\Program Files\3721\nul" del /s /q "%SystemDrive%\Program Files\3721\*.*" >nul 2>nul
if not exist "%SystemDrive%\Program Files\3721\nul" md "%SystemDrive%\Program Files\3721" >nul 2>nul
CACLS "%SystemDrive%\Program Files\3721" /E /C /D everyone>nul 2>nul
if not exist "%SystemRoot%\System32\Drivers\CnsminKP.sys" echo 3721 >"%SystemRoot%\System32\Drivers\CnsminKP.sys" >nul 2>nul
CACLS "%SystemRoot%\System32\Drivers\CnsminKP.sys" /E /C /D everyone>nul 2>nul
if not exist "%SystemRoot%\Downloaded Program Files\CnsMin.cab" echo 3721 >"%SystemRoot%\Downloaded Program Files\CnsMin.cab">nul 2>nul
if not exist "%SystemRoot%\Downloaded Program Files\cns02.dat" echo 3721 >"%SystemRoot%\Downloaded Program Files\cns02.dat">nul 2>nul
if not exist "%SystemRoot%\Downloaded Program Files\CnsHook.dll" echo 3721 >"%SystemRoot%\Downloaded Program Files\CnsHook.dll">nul 2>nul
if not exist "%SystemRoot%\Downloaded Program Files\CnsMin.inf" echo 3721 >"%SystemRoot%\Downloaded Program Files\CnsMin.inf">nul 2>nul
CACLS "%SystemRoot%\Downloaded Program Files\Cn*.*" /T /E /C /P everyone:F>nul 2>nul
CACLS "%SystemRoot%\Downloaded Program Files\Cn*.*" /E /C /D everyone>nul 2>nul
regedit /s Un3721.reg
regedit /s Unassist.reg
echo 正在%TP%“%SystemDrive%”根目录的只读权限保护……
CACLS %SystemDrive%\ %OE%>nul 2>nul
CACLS %SystemDrive%\ %OY%>nul 2>nul
CACLS %SystemDrive%\ %OS%>nul 2>nul
CACLS %SystemDrive%\ %CU%>nul 2>nul
CACLS %SystemDrive%\ %CC%>nul 2>nul
CACLS %SystemDrive%\ /E /C /P Users:R>nul 2>nul
echo 正在%TP%“Windows”文件夹的只读权限保护……
CACLS %SystemRoot% /e /c /p Users:R>nul 2>nul
CACLS %SystemRoot% %OE%>nul 2>nul
CACLS %SystemRoot% %OY%>nul 2>nul
CACLS %SystemRoot% %OS%>nul 2>nul
CACLS %SystemRoot% %CU%>nul 2>nul
if %VB%=="DELETE" cacls %SystemRoot% /e /c /p "Power Users":R>nul 2>nul
if %VB%=="ADD" cacls %SystemRoot% /e /c /p "Power Users":C>nul 2>nul
echo 正在%TP%“Windows\WEB”文件夹的只读权限保护……
CACLS %SystemRoot%\WEB /e /c /p Users:R>nul 2>nul
CACLS %SystemRoot%\WEB %OE%>nul 2>nul
CACLS %SystemRoot%\WEB %OY%>nul 2>nul
CACLS %SystemRoot%\WEB %OS%>nul 2>nul
CACLS %SystemRoot%\WEB %CU%>nul 2>nul
if %VB%=="DELETE" cacls %SystemRoot%\WEB /e /c /p "Power Users":R>nul 2>nul
if %VB%=="ADD" cacls %SystemRoot%\WEB /e /c /p "Power Users":C>nul 2>nul
echo 正在%TP%“Windows\Downloaded Program Files”文件夹的只读权限保护……
CACLS "%SystemRoot%\Downloaded Program Files" /e /c /p Users:R>nul 2>nul
CACLS "%SystemRoot%\Downloaded Program Files" %OE%>nul 2>nul
CACLS "%SystemRoot%\Downloaded Program Files" %OY%>nul 2>nul
CACLS "%SystemRoot%\Downloaded Program Files" %OS%>nul 2>nul
CACLS "%SystemRoot%\Downloaded Program Files" %CU%>nul 2>nul
if %VB%=="DELETE" cacls "%SystemRoot%\Downloaded Program Files" /e /c /p "Power Users":R>nul 2>nul
if %VB%=="ADD" cacls "%SystemRoot%\Downloaded Program Files" /e /c /p "Power Users":C>nul 2>nul
echo 正在%TP%“System32”文件夹的只读权限保护……
cacls %SystemRoot%\system32 /e /c /p "Power Users":R>nul 2>nul
CACLS %SystemRoot%\system32 /e /c /p Users:R>nul 2>nul
CACLS %SystemRoot%\system32 %OE%>nul 2>nul
CACLS %SystemRoot%\system32 %OY%>nul 2>nul
CACLS %SystemRoot%\system32 %OS%>nul 2>nul
CACLS %SystemRoot%\system32 %CU%>nul 2>nul
if %VB%=="ADD" cacls %SystemRoot%\system32 /e /c /p "Power Users":C>nul 2>nul
rem 以下调整兼容性,避免个别机器上的故障
CACLS %SystemRoot%\system32\svchost.exe /e /c /p everyone:R>nul 2>nul
CACLS %SystemRoot%\system32\svchost.exe /e /c /p %Power Users%:R>nul 2>nul
CACLS %SystemRoot%\system32\svchost.exe /e /c /p %Users%:R>nul 2>nul
CACLS %SystemRoot%\system32\svchost.exe /e /c /p Administrators:F>nul 2>nul
CACLS %SystemRoot%\system32\svchost.exe /e /c /p System:F>nul 2>nul
CACLS %SystemRoot%\system32\svchost.exe /e /c /p %USERNAME%:C>nul 2>nul
rem 调整输入法的可写权限:
CACLS %SystemRoot%\system32\IME /T /c /p everyone:F>nul 2>nul
echo 正在%TP%“DLLCACHE”文件夹的只读权限保护……
cacls %SystemRoot%\system32\dllcache /e /c /p "Power Users":R>nul 2>nul
CACLS %SystemRoot%\system32\dllcache /e /c /p Users:R>nul 2>nul
CACLS %SystemRoot%\system32\dllcache %OE%>nul 2>nul
CACLS %SystemRoot%\system32\dllcache %OY%>nul 2>nul
CACLS %SystemRoot%\system32\dllcache %OS%>nul 2>nul
CACLS %SystemRoot%\system32\dllcache %CU%>nul 2>nul
if %VB%=="ADD" cacls %SystemRoot%\system32\dllcache /e /c /p "Power Users":C>nul 2>nul
:POLICY
echo.
echo 正在更新帐户策略、审核策略......
REM 刷新本地安全策略以便立即生效
%UpdatePolicy%>nul 2>nul
echo 帐户策略、审核策略更新完成!
:complete
echo.
echo.
echo 操作完成!
echo.
echo 提醒:安装大型软件之前,请运行本程序临时解除保护,安装后再立即保护!
echo 要修改系统服务等重要设置,也请先解除保护,事后请记得重新保护!
:ext
echo.
echo =======================
echo 按 Y 开始免费在线杀毒
echo 按 N 键退出程序
echo =======================
echo.
set /p UserSelection= 请选择(Y/N):
if "%UserSelection%"=="y" goto web
if "%UserSelection%"=="n" goto quit
if "%UserSelection%"=="Y" goto web
if "%UserSelection%"=="N" goto quit
if "%UserSelection%"=="" goto web
goto web
:web
start /max "%ProgramFiles%\Internet Explorer\iexplore.exe" http://www.zrinfo.net/
echo. >%TEMP%\kill.log
goto start
:quit
rem Clear
del %TEMP%\setacl.exe>nul 2>nul
del %TEMP%\*.CMD>nul 2>nul
del %TEMP%\*.reg>nul 2>nul
ENDLOCAL
exit
|
|
[复制链接]
IP卡
狗仔卡
发表于 2005-1-4 11:03:56
显身卡