Disable security event monitoring

Works with Windows 10 and 11

Single action
Windows only
Impact: High
Batch (batchfile)
Fully reversible

Overview

This script disables the Microsoft Security Events filter driver (MsSecFlt.sys).

This driver is known by different names:

Microsoft Security Events Component File System Filter Driver ¹ ²
MSSense: Microsoft Defender for Endpoint for EDR Sensor ³
Microsoft Security Eve Kernel ⁴
Microsoft Security Events Component Minifilter ⁵ ⁶ ⁷
Microsoft Security Events Component Minifilter driver ⁸
MsSecFlt ⁵ ⁶ ⁹.

It is a minifilter that inspects the file system ¹. Minifilter is also known as file system filter driver ¹⁰. It targets a file system or another file system filter driver ¹⁰. A minifilter intercepts requests before they reach their target, modifying or extending functionality ¹⁰.

It is used by Windows to monitor security-related events ². It monitors the following activities:

File system operations ¹ ¹¹ ¹²
Process activities ¹ ¹¹ ¹³ ¹⁴
Registry changes ¹ ¹²
Network interactions ¹
Kernel structure and components ¹³ ¹⁴

It protects these components from tampering and detects unauthorized modifications ¹³ ¹⁴. It performs continuous integrity checks on system components ¹ ¹³ ¹⁴. It detects and responds to tampering or corruption of kernel components ¹³ ¹⁴

This component exposes system data. It logs events using Event Tracing for Windows (ETW) ¹ ². These logs provide security data for other Microsoft and third-party tools ². It additionally provides kernel telemetry data ¹⁵.

It's a core Defender component ¹ ⁷ ¹⁶ ¹⁷ ¹⁸. It comes as part of:

Defender for Endpoint suite ¹ ³ ¹⁹ (formerly Windows Advanced Threat Protection ²⁰ ²¹ ²²).
Defender Antivirus ²³.
Endpoint Detection and Response (EDR) system ¹¹ ¹⁹, which monitors and responds to potential security threats.
Dev Drive ³. It's used when using Let antivirus filters protect Dev Drives option is neabled ²⁴. Dev Drive is a proprietary storage volume designed to enhance performance for developer workloads on Windows ³.
Microsoft Purview for Data Loss Prevention (DLP) functionality ¹².

By disabling this driver, you may enhance your privacy by preventing the collection and logging of detailed security events related to your system's activities. Reducing kernel telemetry helps protect your system data. Disabling this protection enables deeper system modifications, potentially enhancing privacy. These modifications may include disabling data-collecting components like Defender or enabling additional privacy features that are otherwise restricted.

Disabling the driver may improve system performance by preventing it from loading at startup and reducing monitoring overhead.

However, disabling this driver can reduce your system's security. It may expose your system to malware, unauthorized changes, and attacks like DLL hijacking ²⁵.

Caution

Disabling this driver may limit your system's ability to detect and respond to security threats, increasing vulnerability to malware, unauthorized access, and other risks.

Technical Details

This script performs the following actions:

Disables the MsSecFlt service ⁵ ⁶ ⁹.
Removes the driver file located at %SYSTEMROOT%\system32\drivers\MsSecFlt.sys ⁵ ⁶ ⁹ ¹⁶.
Removes the associated library file at %SYSTEMROOT%\system32\mssecuser.dll ⁹ ²² ²⁶.

mssecuser.dll is also known as Microsoft Security Events Component Library ¹² ²⁶. Its functions include:

Providing a user-space library to the driver ⁹.
Communicating with the kernel-level driver (MsSecFlt) ¹².
Monitoring and filtering file and registry activities, helping with code integrity features ¹².

These components are installed by Windows-SECDriver package ⁹.

Overview of default service statuses

OS Version	Status	Start type
Windows 10 (≥ 22H2)	🔴 Stopped	Manual
Windows 11 (21H2)	🟢 Running	Boot
Windows 11 (≥ 22H2)	🔴 Stopped	Manual

Not Advised
This script should only be used by advanced users.
This script is not recommended for daily use as it breaks important functionality.
Consider creating a system restore point before doing any changes.
Security Trade-off
This action prioritizes privacy over certain security features. It's not recommended and should only be used by advanced users after understanding its implications.
Increased Privacy
Enhanced privacy through reduced data collection and tracking
Decreased Security
Some security features will be disabled or limited
This script can be reversed, this allows you to restore the default system security.

Sources

PrivacyLearn.com maintains strict sourcing standards for accuracy, integrity and up-to-date content. Our content relies on authoritative sources including vendor documentation, industry standards, and verified research. Learn more about our verification process and quality standards in our editorial standards page.

10_0_22000_1165/C/Windows/System32/drivers/mssecflt.sys.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · privacysexy-forks/10_0_22000_1165. github.com. (2024).
Original: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/System32/drivers/mssecflt.sys.strings
Archived: https://archive.ph/2024.10.27-171829/https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/System32/drivers/mssecflt.sys.strings
2. (2024).
Original: https://crash.software/STRLCPY/Conferences/~raw/main/Offensivecon%202023%20slides/Yarden%20Shafir_Your%20Mitigations%20are%20My%20Opportunities.pdf
Archived: https://web.archive.org/web/20241007124239/https://crash.software/STRLCPY/Conferences/~raw/main/Offensivecon%202023%20slides/Yarden%20Shafir_Your%20Mitigations%20are%20My%20Opportunities.pdf
Set up a Dev Drive on Windows 11. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/windows/dev-drive
Archived: https://web.archive.org/web/20241007150442/https://learn.microsoft.com/en-us/windows/dev-drive/
New Build windows 11 computer not going to sleep - Microsoft Community. answers.microsoft.com. (2024).
Original: https://answers.microsoft.com/en-us/windows/forum/all/new-build-windows-11-computer-not-going-to-sleep/f88b8d66-f115-4172-aa7c-4861f52ba29a
Archived: https://web.archive.org/web/20241202094559/https://answers.microsoft.com/en-us/windows/forum/all/new-build-windows-11-computer-not-going-to-sleep/f88b8d66-f115-4172-aa7c-4861f52ba29a
Microsoft Security Events Component Minifilter - Windows 10 Service - batcmd.com. batcmd.com. (2024).
Original: https://batcmd.com/windows/10/services/mssecflt
Archived: https://archive.ph/2024.10.27-171848/https://batcmd.com/windows/10/services/mssecflt/
Microsoft Security Events Component Minifilter (MsSecFlt) Service Defaults in Windows 10. revertservice.com. (2024).
Original: https://revertservice.com/10/mssecflt
Archived: https://archive.ph/2024.10.27-171853/https://revertservice.com/10/mssecflt/
Inside Windows Defender System Guard Runtime Monitor. $~ lloydlabs. blog.syscall.party. (2024).
Original: http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html
Archived: https://web.archive.org/web/20241006130508/http://blog.syscall.party/2022/08/02/inside-windows-defender-system-guard-runtime-monitor.html
Review events and errors using Event Viewer - Microsoft Defender for Endpoint. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes
Archived: https://archive.ph/2024.10.27-171858/https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes
nickel-x64/WinSxS/Manifests/amd64_windows-secdriver_31bf3856ad364e35_10.0.22621.1_none_1fc1fcfdfbd26b7b.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64. github.com. (2024).
Original: https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-secdriver_31bf3856ad364e35_10.0.22621.1_none_1fc1fcfdfbd26b7b.manifest
Archived: https://archive.ph/2024.10.29-180902/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_windows-secdriver_31bf3856ad364e35_10.0.22621.1_none_1fc1fcfdfbd26b7b.manifest
File Systems and Filter Driver Design Guide - Windows drivers. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs
Archived: https://archive.ph/2024.10.27-171923/https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/
Abusing MiniFilter Altitude to blind EDR. Penetration Testing - Red Teaming - Purple Teaming - Security Training. Tier Zero Security, New Zealand. tierzerosecurity.co.nz. (2024).
Original: https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
Archived: https://archive.ph/2024.10.27-172151/https://tierzerosecurity.co.nz/2024/03/27/blind-edr.html
10_0_22622_601/C/Windows/System32/mssecuser.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601. github.com. (2024).
Original: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/mssecuser.dll.strings
Archived: https://archive.ph/2024.10.27-171937/https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/mssecuser.dll.strings
ExecutiveCallbackObjects/542875F90F9B47F497B64BA219CACF69/README.md at master · privacysexy-forks/ExecutiveCallbackObjects. github.com. (2024).
Original: https://github.com/privacysexy-forks/ExecutiveCallbackObjects/blob/master/542875F90F9B47F497B64BA219CACF69/README.md
Archived: https://archive.ph/2024.10.27-172051/https://github.com/privacysexy-forks/ExecutiveCallbackObjects/blob/master/542875F90F9B47F497B64BA219CACF69/README.md
Updated Analysis of PatchGuard on Microsoft Windows 10 RS4. A use case of REVEN, the Timeless Analysis Tool. Author : Luc Reginato. Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf. blog.tetrane.com. (2024).
Original: https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf
Archived: https://web.archive.org/web/20240922215705/https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf
Busting Red Team Trends With Style. Lessons Learned From Building an ETW Based Sysmon Replacement From Scratch. Philipp Schmied, Sebas0an Feldmann. x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf. www.x33fcon.com. (2024).
Original: https://www.x33fcon.com/slides/x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf
Archived: https://web.archive.org/web/20241202094736/https://www.x33fcon.com/slides/x33fcon24_-_Sebastian_Feldmann_and_Philipp_Schmied_-_Busting_Redteam_Trends_with_Style_-_Lessons_Learned_from_Building_an_ETW_based_Sysmon_Replacement_from_Scratch.pdf
Specific Defender files are missing from the published image. support.citrix.com. (2024).
Original: https://support.citrix.com/s/article/CTX691481-specific-defender-files-are-missing-from-the-published-image
Archived: https://archive.ph/2024.10.09-113246/https://support.citrix.com/s/article/CTX691481-specific-defender-files-are-missing-from-the-published-image?language=en_US
How do I disable Microsoft Defender Antivirus - Microsoft Community. answers.microsoft.com. (2024).
Original: https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-disable-microsoft-defender-antivirus/14725d12-3611-48ba-a82e-b51a47726034
Archived: https://web.archive.org/web/20241202094221/https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-disable-microsoft-defender-antivirus/14725d12-3611-48ba-a82e-b51a47726034
Azure-Sentinel/Hunting Queries/Microsoft 365 Defender/Defense evasion/PotentialMicrosoftDefenderTampering[Solarigate].yaml at master · privacysexy-forks/Azure-Sentinel. github.com. (2024).
Original: https://github.com/privacysexy-forks/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml
Archived: https://archive.ph/2024.10.27-172013/https://github.com/privacysexy-forks/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml
When the hunter becomes the hunted: Using custom callbacks to disable EDRs. www.alteredsecurity.com. (2024).
Original: https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
Archived: https://archive.ph/2024.10.27-163942/https://www.alteredsecurity.com/post/when-the-hunter-becomes-the-hunted-using-custom-callbacks-to-disable-edrs
Microsoft delivers unified SIEM and XDR to modernize security operations. Microsoft Security Blog. www.microsoft.com. (2024).
Original: https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations
Archived: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/
Re: Defender for Endpoint. Onboarding 2012R2 via local script. md4ws.msi with error id 15 - Microsoft Community Hub. techcommunity.microsoft.com. (2024).
Original: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-endpoint-onboarding-2012r2-via-local-script-md4ws/m-p/3273553/highlight/true
Archived: https://archive.ph/2024.10.27-172023/https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defender-for-endpoint-onboarding-2012r2-via-local-script-md4ws/m-p/3273553/highlight/true
Onboard MDE - Windows 2019 - MS Sense is missing / Error 15 - Microsoft Community Hub. techcommunity.microsoft.com. (2024).
Original: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/onboard-mde-windows-2019-ms-sense-is-missing-error-15/m-p/3925000
Archived: https://archive.ph/2024.10.27-172033/https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/onboard-mde-windows-2019-ms-sense-is-missing-error-15/m-p/3925000
Configure antivirus software to work with SQL Server - SQL Server. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-and-sql-server
Archived: https://archive.ph/2024.10.27-164210/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-and-sql-server
Configure Dev Drive policy for enterprise business devices. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/windows/dev-drive/group-policy
Archived: https://archive.ph/2024.10.27-172153/https://learn.microsoft.com/en-us/windows/dev-drive/group-policy
Faxing Your Way to SYSTEM — Part Two – Winsider Seminars & Solutions Inc.. windows-internals.com. (2024).
Original: https://windows-internals.com/faxing-your-way-to-system
Archived: https://archive.ph/2024.10.27-172044/https://windows-internals.com/faxing-your-way-to-system/
mssecuser.dll. Microsoft Security Events Component Library. STRONTIC. strontic.github.io. (2024).
Original: https://strontic.github.io/xcyclopedia/library/mssecuser.dll-4C0B2D44270EAA444B96CC1A10CF920A.html
Archived: https://archive.ph/2024.10.27-172054/https://strontic.github.io/xcyclopedia/library/mssecuser.dll-4C0B2D44270EAA444B96CC1A10CF920A.html

Apply Now

Choose one of three ways to apply:

Download script

Download and run the script directly

No app needed
Offline usage
Easy-to-apply
Free
Open-source

Apply protection

Undo protection

Help

How to apply or restore "Disable security event monitoring" using script

≈ 2 min to complete
Tools: Web Browser
Difficulty: Simple
≈ 5 instructions

1
Download
Download the script file by clicking on the Apply protection button above.
Use Undo protection button above to restore changes.
2
Keep the file
If warned by your browser, keep the file.
3
Open
Open the downloaded file.
4
Exit
Once it's done, press any key to exit the window.
5
Restart
Restart your computer for all changes to take effect.

Apply with privacy.sexy

Guided, automated application with safety checks

Recommended for most users
Includes safety checks
Free
Open-source
Popular
Offline/Online usage

Open privacy.sexy

Help

How to apply or restore "Disable security event monitoring" using privacy.sexy

≈ 3 min to complete
Tools: privacy.sexy
Difficulty: Simple
≈ 4 instructions

privacy.sexy is free and open-source application that lets securely apply this action easily with more advanced options.

1
Open or download
Open or download the desktop application
2
Choose script
1. Search for the script name: Disable security event monitoring
2. Check the script by clicking on the checkbox.
3
Run
Click on ▶️ Run button at the bottom of the page.
This button only appears on desktop version (recommended). On browser, use 💾 Save button.

Run commands

Copy and run commands manually Requires technical knowledge

Apply
Revert

Apply changes
:: Disable service(s): `MsSecFlt`
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'MsSecFlt'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) { Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try { Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch { Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else { Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if (!$startupType) { $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if ($startupType -eq 'Disabled') { Write-Host "^""$serviceName is already disabled, no further action is needed"^""; Exit 0; }; <# -- 4. Disable service #>; try { Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch { Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }"
:: Soft delete files matching pattern: "%SYSTEMROOT%\System32\drivers\MsSecFlt.sys" with additional permissions 
PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = "^""%SYSTEMROOT%\System32\drivers\MsSecFlt.sys"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount   = 0; $skippedCount   = 0; $failedCount    = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n    [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n        ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n    [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n    [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n    [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n    internal struct TokPriv1Luid {`r`n        public int Count;`r`n        public long Luid;`r`n        public int Attr;`r`n    }`r`n    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n    internal const int TOKEN_QUERY = 0x00000008;`r`n    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n    public static bool AddPrivilege(string privilege) {`r`n        try {`r`n            bool retVal;`r`n            TokPriv1Luid tp;`r`n            IntPtr hproc = GetCurrentProcess();`r`n            IntPtr htok = IntPtr.Zero;`r`n            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n            tp.Count = 1;`r`n            tp.Luid = 0;`r`n            tp.Attr = SE_PRIVILEGE_ENABLED;`r`n            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n            return retVal;`r`n        } catch (Exception ex) {`r`n            throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n        }`r`n    }`r`n    public static bool RemovePrivilege(string privilege) {`r`n        try {`r`n            bool retVal;`r`n            TokPriv1Luid tp;`r`n            IntPtr hproc = GetCurrentProcess();`r`n            IntPtr htok = IntPtr.Zero;`r`n            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n            tp.Count = 1;`r`n            tp.Luid = 0;`r`n            tp.Attr = 0;  // This line is changed to revoke the privilege`r`n            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n            return retVal;`r`n        } catch (Exception ex) {`r`n            throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n        }`r`n    }`r`n    [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n    public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); try { $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) { if (Test-Path -Path $path -PathType Container) { Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) { if (-not $path.EndsWith('.OLD')) { Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else { if ($path.EndsWith('.OLD')) { Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) { Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try { $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch { Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) { $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else { $newFilePath = "^""$($originalFilePath).OLD"^""; }; try { Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) { try { Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch { Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch { Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) { try { Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch { Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) { Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) { Write-Warning "^""Failed to process $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null"
:: Soft delete files matching pattern: "%SYSTEMROOT%\System32\mssecuser.dll" with additional permissions 
PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = "^""%SYSTEMROOT%\System32\mssecuser.dll"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount   = 0; $skippedCount   = 0; $failedCount    = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n    [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n    internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n        ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n    [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n    internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n    [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n    internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n    [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n    internal struct TokPriv1Luid {`r`n        public int Count;`r`n        public long Luid;`r`n        public int Attr;`r`n    }`r`n    internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n    internal const int TOKEN_QUERY = 0x00000008;`r`n    internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n    public static bool AddPrivilege(string privilege) {`r`n        try {`r`n            bool retVal;`r`n            TokPriv1Luid tp;`r`n            IntPtr hproc = GetCurrentProcess();`r`n            IntPtr htok = IntPtr.Zero;`r`n            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n            tp.Count = 1;`r`n            tp.Luid = 0;`r`n            tp.Attr = SE_PRIVILEGE_ENABLED;`r`n            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n            return retVal;`r`n        } catch (Exception ex) {`r`n            throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n        }`r`n    }`r`n    public static bool RemovePrivilege(string privilege) {`r`n        try {`r`n            bool retVal;`r`n            TokPriv1Luid tp;`r`n            IntPtr hproc = GetCurrentProcess();`r`n            IntPtr htok = IntPtr.Zero;`r`n            retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n            tp.Count = 1;`r`n            tp.Luid = 0;`r`n            tp.Attr = 0;  // This line is changed to revoke the privilege`r`n            retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n            retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n            return retVal;`r`n        } catch (Exception ex) {`r`n            throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n        }`r`n    }`r`n    [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n    public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); try { $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] { <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) { if (Test-Path -Path $path -PathType Container) { Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) { if (-not $path.EndsWith('.OLD')) { Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else { if ($path.EndsWith('.OLD')) { Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) { Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try { $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch { Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) { $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else { $newFilePath = "^""$($originalFilePath).OLD"^""; }; try { Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) { try { Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch { Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch { Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) { try { Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch { Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) { Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) { Write-Warning "^""Failed to process $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null"

Restore changes

Ijo6IFJlc3RvcmUgc2VydmljZShzKSB0byBkZWZhdWx0IHN0YXRlOiBgTXNTZWNGbHRgXG5Qb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgVW5yZXN0cmljdGVkIC1Db21tYW5kIFwiJHNlcnZpY2VOYW1lID0gJ01zU2VjRmx0JzsgJGRlZmF1bHRTdGFydHVwTW9kZSA9ICdNYW51YWwnOyAkaWdub3JlTWlzc2luZ09uUmV2ZXJ0ID0gICRmYWxzZTsgV3JpdGUtSG9zdCBcIl5cIlwiUmV2ZXJ0aW5nIHNlcnZpY2UgYFwiXlwiXCIkc2VydmljZU5hbWVgXCJeXCJcIiBzdGFydCB0byBgXCJeXCJcIiRkZWZhdWx0U3RhcnR1cE1vZGVgXCJeXCJcIi5cIl5cIlwiOyA8IyAtLSAxLiBTa2lwIGlmIHNlcnZpY2UgZG9lcyBub3QgZXhpc3QgIz47ICRzZXJ2aWNlID0gR2V0LVNlcnZpY2UgLU5hbWUgJHNlcnZpY2VOYW1lIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlOyBpZiAoISRzZXJ2aWNlKSB7IGlmICgkaWdub3JlTWlzc2luZ09uUmV2ZXJ0KSB7IFdyaXRlLU91dHB1dCBcIl5cIlwiU2tpcHBpbmc6IFRoZSBzZXJ2aWNlIGBcIl5cIlwiJHNlcnZpY2VOYW1lYFwiXlwiXCIgaXMgbm90IGZvdW5kLiBObyBhY3Rpb24gcmVxdWlyZWQuXCJeXCJcIjsgRXhpdCAwOyB9OyBXcml0ZS1XYXJuaW5nIFwiXlwiXCJGYWlsZWQgdG8gcmV2ZXJ0IGNoYW5nZXMgdG8gdGhlIHNlcnZpY2UgYFwiXlwiXCIkc2VydmljZU5hbWVgXCJeXCJcIi4gVGhlIHNlcnZpY2UgaXMgbm90IGZvdW5kLlwiXlwiXCI7IEV4aXQgMTsgfTsgPCMgLS0gMi4gRW5hYmxlIG9yIHNraXAgaWYgYWxyZWFkeSBlbmFibGVkICM+OyAkc3RhcnR1cFR5cGUgPSAkc2VydmljZS5TdGFydFR5cGUgPCMgRG9lcyBub3Qgd29yayBiZWZvcmUgLk5FVCA0LjYuMSAjPjsgaWYgKCEkc3RhcnR1cFR5cGUpIHsgJHN0YXJ0dXBUeXBlID0gKEdldC1XbWlPYmplY3QgLVF1ZXJ5IFwiXlwiXCJTZWxlY3QgU3RhcnRNb2RlIEZyb20gV2luMzJfU2VydmljZSBXaGVyZSBOYW1lPSckc2VydmljZU5hbWUnXCJeXCJcIiAtRXJyb3JBY3Rpb24gSWdub3JlKS5TdGFydE1vZGU7IGlmICghJHN0YXJ0dXBUeXBlKSB7ICRzdGFydHVwVHlwZSA9IChHZXQtV21pT2JqZWN0IC1DbGFzcyBXaW4zMl9TZXJ2aWNlIC1Qcm9wZXJ0eSBTdGFydE1vZGUgLUZpbHRlciBcIl5cIlwiTmFtZT0nJHNlcnZpY2VOYW1lJ1wiXlwiXCIgLUVycm9yQWN0aW9uIElnbm9yZSkuU3RhcnRNb2RlOyB9OyB9OyBpZiAoJHN0YXJ0dXBUeXBlIC1lcSBcIl5cIlwiJGRlZmF1bHRTdGFydHVwTW9kZVwiXlwiXCIpIHsgV3JpdGUtSG9zdCBcIl5cIlwiYFwiXlwiXCIkc2VydmljZU5hbWVgXCJeXCJcIiBoYXMgYWxyZWFkeSBleHBlY3RlZCBzdGFydHVwIG1vZGU6IGBcIl5cIlwiJGRlZmF1bHRTdGFydHVwTW9kZWBcIl5cIlwiLiBObyBhY3Rpb24gcmVxdWlyZWQuXCJeXCJcIjsgfSBlbHNlIHsgdHJ5IHsgU2V0LVNlcnZpY2UgLU5hbWUgXCJeXCJcIiRzZXJ2aWNlTmFtZVwiXlwiXCIgLVN0YXJ0dXBUeXBlIFwiXlwiXCIkZGVmYXVsdFN0YXJ0dXBNb2RlXCJeXCJcIiAtQ29uZmlybTokZmFsc2UgLUVycm9yQWN0aW9uIFN0b3A7IFdyaXRlLUhvc3QgXCJeXCJcIlJldmVydGVkIGBcIl5cIlwiJHNlcnZpY2VOYW1lYFwiXlwiXCIgd2l0aCBgXCJeXCJcIiRkZWZhdWx0U3RhcnR1cE1vZGVgXCJeXCJcIiBzdGFydCwgdGhpcyBtYXkgcmVxdWlyZSByZXN0YXJ0aW5nIHlvdXIgY29tcHV0ZXIuXCJeXCJcIjsgfSBjYXRjaCB7IFdyaXRlLUVycm9yIFwiXlwiXCJGYWlsZWQgdG8gZW5hYmxlIGBcIl5cIlwiJHNlcnZpY2VOYW1lYFwiXlwiXCI6ICRfXCJeXCJcIjsgRXhpdCAxOyB9OyB9OyA8IyAtLSA0LiBTdGFydCBpZiBub3QgcnVubmluZyAobXVzdCBiZSBlbmFibGVkIGZpcnN0KSAjPjsgaWYgKCRkZWZhdWx0U3RhcnR1cE1vZGUgLWVxICdBdXRvbWF0aWMnIC1vciAkZGVmYXVsdFN0YXJ0dXBNb2RlIC1lcSAnQm9vdCcgLW9yICRkZWZhdWx0U3RhcnR1cE1vZGUgLWVxICdTeXN0ZW0nKSB7IGlmICgkc2VydmljZS5TdGF0dXMgLW5lIFtTeXN0ZW0uU2VydmljZVByb2Nlc3MuU2VydmljZUNvbnRyb2xsZXJTdGF0dXNdOjpSdW5uaW5nKSB7IFdyaXRlLUhvc3QgXCJeXCJcImBcIl5cIlwiJHNlcnZpY2VOYW1lYFwiXlwiXCIgaXMgbm90IHJ1bm5pbmcsIHN0YXJ0aW5nIGl0LlwiXlwiXCI7IHRyeSB7IFN0YXJ0LVNlcnZpY2UgJHNlcnZpY2VOYW1lIC1FcnJvckFjdGlvbiBTdG9wOyBXcml0ZS1Ib3N0IFwiXlwiXCJTdGFydGVkIGBcIl5cIlwiJHNlcnZpY2VOYW1lYFwiXlwiXCIgc3VjY2Vzc2Z1bGx5LlwiXlwiXCI7IH0gY2F0Y2ggeyBXcml0ZS1XYXJuaW5nIFwiXlwiXCJGYWlsZWQgdG8gc3RhcnQgYFwiXlwiXCIkc2VydmljZU5hbWVgXCJeXCJcIiwgcmVxdWlyZXMgcmVzdGFydCwgaXQgd2lsbCBiZSBzdGFydGVkIGFmdGVyIHJlYm9vdC5gcmBuJF9cIl5cIlwiOyB9OyB9IGVsc2UgeyBXcml0ZS1Ib3N0IFwiXlwiXCJgXCJeXCJcIiRzZXJ2aWNlTmFtZWBcIl5cIlwiIGlzIGFscmVhZHkgcnVubmluZywgbm8gbmVlZCB0byBzdGFydC5cIl5cIlwiOyB9OyB9XCJcbjo6IFJlc3RvcmUgZmlsZXMgbWF0Y2hpbmcgcGF0dGVybjogXCIlU1lTVEVNUk9PVCVcXFN5c3RlbTMyXFxkcml2ZXJzXFxNc1NlY0ZsdC5zeXNcIiB3aXRoIGFkZGl0aW9uYWwgcGVybWlzc2lvbnMgXG5Qb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgVW5yZXN0cmljdGVkIC1Db21tYW5kIFwiJHJldmVydCA9ICR0cnVlOyAkcGF0aEdsb2JQYXR0ZXJuID0gXCJeXCJcIiVTWVNURU1ST09UJVxcU3lzdGVtMzJcXGRyaXZlcnNcXE1zU2VjRmx0LnN5cy5PTERcIl5cIlwiOyAkZXhwYW5kZWRQYXRoID0gW1N5c3RlbS5FbnZpcm9ubWVudF06OkV4cGFuZEVudmlyb25tZW50VmFyaWFibGVzKCRwYXRoR2xvYlBhdHRlcm4pOyBXcml0ZS1Ib3N0IFwiXlwiXCJTZWFyY2hpbmcgZm9yIGl0ZW1zIG1hdGNoaW5nIHBhdHRlcm46IGBcIl5cIlwiJCgkZXhwYW5kZWRQYXRoKWBcIl5cIlwiLlwiXlwiXCI7ICRyZW5hbWVkQ291bnQgICA9IDA7ICRza2lwcGVkQ291bnQgICA9IDA7ICRmYWlsZWRDb3VudCAgICA9IDA7IEFkZC1UeXBlIC1UeXBlRGVmaW5pdGlvbiBcIl5cIlwidXNpbmcgU3lzdGVtO2ByYG51c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7YHJgbnB1YmxpYyBjbGFzcyBQcml2aWxlZ2VzIHtgcmBuICAgIFtEbGxJbXBvcnQoYFwiXlwiXCJhZHZhcGkzMi5kbGxgXCJeXCJcIiwgRXhhY3RTcGVsbGluZyA9IHRydWUsIFNldExhc3RFcnJvciA9IHRydWUpXWByYG4gICAgaW50ZXJuYWwgc3RhdGljIGV4dGVybiBib29sIEFkanVzdFRva2VuUHJpdmlsZWdlcyhJbnRQdHIgaHRvaywgYm9vbCBkaXNhbGwsYHJgbiAgICAgICAgcmVmIFRva1ByaXYxTHVpZCBuZXdzdCwgaW50IGxlbiwgSW50UHRyIHByZXYsIEludFB0ciByZWxlbik7YHJgbiAgICBbRGxsSW1wb3J0KGBcIl5cIlwiYWR2YXBpMzIuZGxsYFwiXlwiXCIsIEV4YWN0U3BlbGxpbmcgPSB0cnVlLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV1gcmBuICAgIGludGVybmFsIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuUHJvY2Vzc1Rva2VuKEludFB0ciBoLCBpbnQgYWNjLCByZWYgSW50UHRyIHBodG9rKTtgcmBuICAgIFtEbGxJbXBvcnQoYFwiXlwiXCJhZHZhcGkzMi5kbGxgXCJeXCJcIiwgU2V0TGFzdEVycm9yID0gdHJ1ZSldYHJgbiAgICBpbnRlcm5hbCBzdGF0aWMgZXh0ZXJuIGJvb2wgTG9va3VwUHJpdmlsZWdlVmFsdWUoc3RyaW5nIGhvc3QsIHN0cmluZyBuYW1lLCByZWYgbG9uZyBwbHVpZCk7YHJgbiAgICBbU3RydWN0TGF5b3V0KExheW91dEtpbmQuU2VxdWVudGlhbCwgUGFjayA9IDEpXWByYG4gICAgaW50ZXJuYWwgc3RydWN0IFRva1ByaXYxTHVpZCB7YHJgbiAgICAgICAgcHVibGljIGludCBDb3VudDtgcmBuICAgICAgICBwdWJsaWMgbG9uZyBMdWlkO2ByYG4gICAgICAgIHB1YmxpYyBpbnQgQXR0cjtgcmBuICAgIH1gcmBuICAgIGludGVybmFsIGNvbnN0IGludCBTRV9QUklWSUxFR0VfRU5BQkxFRCA9IDB4MDAwMDAwMDI7YHJgbiAgICBpbnRlcm5hbCBjb25zdCBpbnQgVE9LRU5fUVVFUlkgPSAweDAwMDAwMDA4O2ByYG4gICAgaW50ZXJuYWwgY29uc3QgaW50IFRPS0VOX0FESlVTVF9QUklWSUxFR0VTID0gMHgwMDAwMDAyMDtgcmBuICAgIHB1YmxpYyBzdGF0aWMgYm9vbCBBZGRQcml2aWxlZ2Uoc3RyaW5nIHByaXZpbGVnZSkge2ByYG4gICAgICAgIHRyeSB7YHJgbiAgICAgICAgICAgIGJvb2wgcmV0VmFsO2ByYG4gICAgICAgICAgICBUb2tQcml2MUx1aWQgdHA7YHJgbiAgICAgICAgICAgIEludFB0ciBocHJvYyA9IEdldEN1cnJlbnRQcm9jZXNzKCk7YHJgbiAgICAgICAgICAgIEludFB0ciBodG9rID0gSW50UHRyLlplcm87YHJgbiAgICAgICAgICAgIHJldFZhbCA9IE9wZW5Qcm9jZXNzVG9rZW4oaHByb2MsIFRPS0VOX0FESlVTVF9QUklWSUxFR0VTIHwgVE9LRU5fUVVFUlksIHJlZiBodG9rKTtgcmBuICAgICAgICAgICAgdHAuQ291bnQgPSAxO2ByYG4gICAgICAgICAgICB0cC5MdWlkID0gMDtgcmBuICAgICAgICAgICAgdHAuQXR0ciA9IFNFX1BSSVZJTEVHRV9FTkFCTEVEO2ByYG4gICAgICAgICAgICByZXRWYWwgPSBMb29rdXBQcml2aWxlZ2VWYWx1ZShudWxsLCBwcml2aWxlZ2UsIHJlZiB0cC5MdWlkKTtgcmBuICAgICAgICAgICAgcmV0VmFsID0gQWRqdXN0VG9rZW5Qcml2aWxlZ2VzKGh0b2ssIGZhbHNlLCByZWYgdHAsIDAsIEludFB0ci5aZXJvLCBJbnRQdHIuWmVybyk7YHJgbiAgICAgICAgICAgIHJldHVybiByZXRWYWw7YHJgbiAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGV4KSB7YHJgbiAgICAgICAgICAgIHRocm93IG5ldyBFeGNlcHRpb24oYFwiXlwiXCJGYWlsZWQgdG8gYWRqdXN0IHRva2VuIHByaXZpbGVnZXNgXCJeXCJcIiwgZXgpO2ByYG4gICAgICAgIH1gcmBuICAgIH1gcmBuICAgIHB1YmxpYyBzdGF0aWMgYm9vbCBSZW1vdmVQcml2aWxlZ2Uoc3RyaW5nIHByaXZpbGVnZSkge2ByYG4gICAgICAgIHRyeSB7YHJgbiAgICAgICAgICAgIGJvb2wgcmV0VmFsO2ByYG4gICAgICAgICAgICBUb2tQcml2MUx1aWQgdHA7YHJgbiAgICAgICAgICAgIEludFB0ciBocHJvYyA9IEdldEN1cnJlbnRQcm9jZXNzKCk7YHJgbiAgICAgICAgICAgIEludFB0ciBodG9rID0gSW50UHRyLlplcm87YHJgbiAgICAgICAgICAgIHJldFZhbCA9IE9wZW5Qcm9jZXNzVG9rZW4oaHByb2MsIFRPS0VOX0FESlVTVF9QUklWSUxFR0VTIHwgVE9LRU5fUVVFUlksIHJlZiBodG9rKTtgcmBuICAgICAgICAgICAgdHAuQ291bnQgPSAxO2ByYG4gICAgICAgICAgICB0cC5MdWlkID0gMDtgcmBuICAgICAgICAgICAgdHAuQXR0ciA9IDA7ICAvLyBUaGlzIGxpbmUgaXMgY2hhbmdlZCB0byByZXZva2UgdGhlIHByaXZpbGVnZWByYG4gICAgICAgICAgICByZXRWYWwgPSBMb29rdXBQcml2aWxlZ2VWYWx1ZShudWxsLCBwcml2aWxlZ2UsIHJlZiB0cC5MdWlkKTtgcmBuICAgICAgICAgICAgcmV0VmFsID0gQWRqdXN0VG9rZW5Qcml2aWxlZ2VzKGh0b2ssIGZhbHNlLCByZWYgdHAsIDAsIEludFB0ci5aZXJvLCBJbnRQdHIuWmVybyk7YHJgbiAgICAgICAgICAgIHJldHVybiByZXRWYWw7YHJgbiAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGV4KSB7YHJgbiAgICAgICAgICAgIHRocm93IG5ldyBFeGNlcHRpb24oYFwiXlwiXCJGYWlsZWQgdG8gYWRqdXN0IHRva2VuIHByaXZpbGVnZXNgXCJeXCJcIiwgZXgpO2ByYG4gICAgICAgIH1gcmBuICAgIH1gcmBuICAgIFtEbGxJbXBvcnQoYFwiXlwiXCJrZXJuZWwzMi5kbGxgXCJeXCJcIiwgQ2hhclNldCA9IENoYXJTZXQuQXV0byldYHJgbiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgR2V0Q3VycmVudFByb2Nlc3MoKTtgcmBufVwiXlwiXCI7IFtQcml2aWxlZ2VzXTo6QWRkUHJpdmlsZWdlKCdTZVJlc3RvcmVQcml2aWxlZ2UnKSB8IE91dC1OdWxsOyBbUHJpdmlsZWdlc106OkFkZFByaXZpbGVnZSgnU2VUYWtlT3duZXJzaGlwUHJpdmlsZWdlJykgfCBPdXQtTnVsbDsgJGFkbWluU2lkID0gTmV3LU9iamVjdCBTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLlNlY3VyaXR5SWRlbnRpZmllciAnUy0xLTUtMzItNTQ0JzsgJGFkbWluQWNjb3VudCA9ICRhZG1pblNpZC5UcmFuc2xhdGUoW1N5c3RlbS5TZWN1cml0eS5QcmluY2lwYWwuTlRBY2NvdW50XSk7ICRhZG1pbkZ1bGxDb250cm9sQWNjZXNzUnVsZSA9IE5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LkFjY2Vzc0NvbnRyb2wuRmlsZVN5c3RlbUFjY2Vzc1J1bGUoICRhZG1pbkFjY291bnQsIFtTeXN0ZW0uU2VjdXJpdHkuQWNjZXNzQ29udHJvbC5GaWxlU3lzdGVtUmlnaHRzXTo6RnVsbENvbnRyb2wsIFtTeXN0ZW0uU2VjdXJpdHkuQWNjZXNzQ29udHJvbC5BY2Nlc3NDb250cm9sVHlwZV06OkFsbG93ICk7ICRmb3VuZEFic29sdXRlUGF0aHMgPSBAKCk7IHRyeSB7ICRmb3VuZEFic29sdXRlUGF0aHMgKz0gQCg7IEdldC1JdGVtIC1QYXRoICRleHBhbmRlZFBhdGggLUVycm9yQWN0aW9uIFN0b3AgfCBTZWxlY3QtT2JqZWN0IC1FeHBhbmRQcm9wZXJ0eSBGdWxsTmFtZTsgKTsgfSBjYXRjaCBbU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5JdGVtTm90Rm91bmRFeGNlcHRpb25dIHsgPCMgU3dhbGxvdywgZG8gbm90IHJ1biBgVGVzdC1QYXRoYCBiZWZvcmUsIGl0J3MgdW5yZWxpYWJsZSBmb3IgZ2xvYnMgcmVxdWlyaW5nIGV4dHJhIHBlcm1pc3Npb25zICM+OyB9OyAkZm91bmRBYnNvbHV0ZVBhdGhzID0gJGZvdW5kQWJzb2x1dGVQYXRocyB8IFNlbGVjdC1PYmplY3QgLVVuaXF1ZSB8IFNvcnQtT2JqZWN0IC1Qcm9wZXJ0eSB7ICRfLkxlbmd0aCB9IC1EZXNjZW5kaW5nOyBpZiAoISRmb3VuZEFic29sdXRlUGF0aHMpIHsgV3JpdGUtSG9zdCAnU2tpcHBpbmcsIG5vIGl0ZW1zIGF2YWlsYWJsZS4nOyBleGl0IDA7IH07IFdyaXRlLUhvc3QgXCJeXCJcIkluaXRpYXRpbmcgcHJvY2Vzc2luZyBvZiAkKCRmb3VuZEFic29sdXRlUGF0aHMuQ291bnQpIGl0ZW1zIGZyb20gYFwiXlwiXCIkZXhwYW5kZWRQYXRoYFwiXlwiXCIuXCJeXCJcIjsgZm9yZWFjaCAoJHBhdGggaW4gJGZvdW5kQWJzb2x1dGVQYXRocykgeyBpZiAoVGVzdC1QYXRoIC1QYXRoICRwYXRoIC1QYXRoVHlwZSBDb250YWluZXIpIHsgV3JpdGUtSG9zdCBcIl5cIlwiU2tpcHBpbmcgZm9sZGVyIChub3QgaXRzIGNvbnRlbnRzKTogYFwiXlwiXCIkcGF0aGBcIl5cIlwiLlwiXlwiXCI7ICRza2lwcGVkQ291bnQrKzsgY29udGludWU7IH07IGlmKCRyZXZlcnQgLWVxICR0cnVlKSB7IGlmICgtbm90ICRwYXRoLkVuZHNXaXRoKCcuT0xEJykpIHsgV3JpdGUtSG9zdCBcIl5cIlwiU2tpcHBpbmcgbm9uLWJhY2t1cCBmaWxlOiBgXCJeXCJcIiRwYXRoYFwiXlwiXCIuXCJeXCJcIjsgJHNraXBwZWRDb3VudCsrOyBjb250aW51ZTsgfTsgfSBlbHNlIHsgaWYgKCRwYXRoLkVuZHNXaXRoKCcuT0xEJykpIHsgV3JpdGUtSG9zdCBcIl5cIlwiU2tpcHBpbmcgYmFja3VwIGZpbGU6IGBcIl5cIlwiJHBhdGhgXCJeXCJcIi5cIl5cIlwiOyAkc2tpcHBlZENvdW50Kys7IGNvbnRpbnVlOyB9OyB9OyAkb3JpZ2luYWxGaWxlUGF0aCA9ICRwYXRoOyBXcml0ZS1Ib3N0IFwiXlwiXCJQcm9jZXNzaW5nIGZpbGU6IGBcIl5cIlwiJG9yaWdpbmFsRmlsZVBhdGhgXCJeXCJcIi5cIl5cIlwiOyBpZiAoLU5vdCAoVGVzdC1QYXRoICRvcmlnaW5hbEZpbGVQYXRoKSkgeyBXcml0ZS1Ib3N0IFwiXlwiXCJTa2lwcGluZywgZmlsZSBgXCJeXCJcIiRvcmlnaW5hbEZpbGVQYXRoYFwiXlwiXCIgbm90IGZvdW5kLlwiXlwiXCI7ICRza2lwcGVkQ291bnQrKzsgZXhpdCAwOyB9OyAkb3JpZ2luYWxBY2wgPSBHZXQtQWNsIC1QYXRoIFwiXlwiXCIkb3JpZ2luYWxGaWxlUGF0aFwiXlwiXCI7ICRhY2Nlc3NHcmFudGVkID0gJGZhbHNlOyB0cnkgeyAkYWNsID0gR2V0LUFjbCAtUGF0aCBcIl5cIlwiJG9yaWdpbmFsRmlsZVBhdGhcIl5cIlwiOyAkYWNsLlNldE93bmVyKCRhZG1pbkFjY291bnQpIDwjIFRha2UgT3duZXJzaGlwIChiZWNhdXNlIGZpbGUgaXMgb3duZWQgYnkgVHJ1c3RlZEluc3RhbGxlcikgIz47ICRhY2wuQWRkQWNjZXNzUnVsZSgkYWRtaW5GdWxsQ29udHJvbEFjY2Vzc1J1bGUpIDwjIEdyYW50IHJpZ2h0cyB0byBiZSBhYmxlIHRvIG1vdmUgdGhlIGZpbGUgIz47IFNldC1BY2wgLVBhdGggJG9yaWdpbmFsRmlsZVBhdGggLUFjbE9iamVjdCAkYWNsIC1FcnJvckFjdGlvbiBTdG9wOyAkYWNjZXNzR3JhbnRlZCA9ICR0cnVlOyB9IGNhdGNoIHsgV3JpdGUtV2FybmluZyBcIl5cIlwiRmFpbGVkIHRvIGdyYW50IGFjY2VzcyB0byBgXCJeXCJcIiRvcmlnaW5hbEZpbGVQYXRoYFwiXlwiXCI6ICQoJF8uRXhjZXB0aW9uLk1lc3NhZ2UpXCJeXCJcIjsgfTsgaWYgKCRyZXZlcnQgLWVxICR0cnVlKSB7ICRuZXdGaWxlUGF0aCA9ICRvcmlnaW5hbEZpbGVQYXRoLlN1YnN0cmluZygwLCAkb3JpZ2luYWxGaWxlUGF0aC5MZW5ndGggLSA0KTsgfSBlbHNlIHsgJG5ld0ZpbGVQYXRoID0gXCJeXCJcIiQoJG9yaWdpbmFsRmlsZVBhdGgpLk9MRFwiXlwiXCI7IH07IHRyeSB7IE1vdmUtSXRlbSAtTGl0ZXJhbFBhdGggXCJeXCJcIiQoJG9yaWdpbmFsRmlsZVBhdGgpXCJeXCJcIiAtRGVzdGluYXRpb24gXCJeXCJcIiRuZXdGaWxlUGF0aFwiXlwiXCIgLUZvcmNlIC1FcnJvckFjdGlvbiBTdG9wOyBXcml0ZS1Ib3N0IFwiXlwiXCJTdWNjZXNzZnVsbHkgcHJvY2Vzc2VkIGBcIl5cIlwiJG9yaWdpbmFsRmlsZVBhdGhgXCJeXCJcIi5cIl5cIlwiOyAkcmVuYW1lZENvdW50Kys7IGlmICgkYWNjZXNzR3JhbnRlZCkgeyB0cnkgeyBTZXQtQWNsIC1QYXRoICRuZXdGaWxlUGF0aCAtQWNsT2JqZWN0ICRvcmlnaW5hbEFjbCAtRXJyb3JBY3Rpb24gU3RvcDsgfSBjYXRjaCB7IFdyaXRlLVdhcm5pbmcgXCJeXCJcIkZhaWxlZCB0byByZXN0b3JlIGFjY2VzcyBvbiBgXCJeXCJcIiRuZXdGaWxlUGF0aGBcIl5cIlwiOiAkKCRfLkV4Y2VwdGlvbi5NZXNzYWdlKVwiXlwiXCI7IH07IH07IH0gY2F0Y2ggeyBXcml0ZS1FcnJvciBcIl5cIlwiRmFpbGVkIHRvIHJlbmFtZSBgXCJeXCJcIiRvcmlnaW5hbEZpbGVQYXRoYFwiXlwiXCIgdG8gYFwiXlwiXCIkbmV3RmlsZVBhdGhgXCJeXCJcIjogJCgkXy5FeGNlcHRpb24uTWVzc2FnZSlcIl5cIlwiOyAkZmFpbGVkQ291bnQrKzsgaWYgKCRhY2Nlc3NHcmFudGVkKSB7IHRyeSB7IFNldC1BY2wgLVBhdGggJG9yaWdpbmFsRmlsZVBhdGggLUFjbE9iamVjdCAkb3JpZ2luYWxBY2wgLUVycm9yQWN0aW9uIFN0b3A7IH0gY2F0Y2ggeyBXcml0ZS1XYXJuaW5nIFwiXlwiXCJGYWlsZWQgdG8gcmVzdG9yZSBhY2Nlc3Mgb24gYFwiXlwiXCIkb3JpZ2luYWxGaWxlUGF0aGBcIl5cIlwiOiAkKCRfLkV4Y2VwdGlvbi5NZXNzYWdlKVwiXlwiXCI7IH07IH07IH07IH07IGlmICgoJHJlbmFtZWRDb3VudCAtZ3QgMCkgLW9yICgkc2tpcHBlZENvdW50IC1ndCAwKSkgeyBXcml0ZS1Ib3N0IFwiXlwiXCJTdWNjZXNzZnVsbHkgcHJvY2Vzc2VkICRyZW5hbWVkQ291bnQgaXRlbXMgYW5kIHNraXBwZWQgJHNraXBwZWRDb3VudCBpdGVtcy5cIl5cIlwiOyB9OyBpZiAoJGZhaWxlZENvdW50IC1ndCAwKSB7IFdyaXRlLVdhcm5pbmcgXCJeXCJcIkZhaWxlZCB0byBwcm9jZXNzICQoJGZhaWxlZENvdW50KSBpdGVtcy5cIl5cIlwiOyB9OyBbUHJpdmlsZWdlc106OlJlbW92ZVByaXZpbGVnZSgnU2VSZXN0b3JlUHJpdmlsZWdlJykgfCBPdXQtTnVsbDsgW1ByaXZpbGVnZXNdOjpSZW1vdmVQcml2aWxlZ2UoJ1NlVGFrZU93bmVyc2hpcFByaXZpbGVnZScpIHwgT3V0LU51bGxcIlxuOjogUmVzdG9yZSBmaWxlcyBtYXRjaGluZyBwYXR0ZXJuOiBcIiVTWVNURU1ST09UJVxcU3lzdGVtMzJcXG1zc2VjdXNlci5kbGxcIiB3aXRoIGFkZGl0aW9uYWwgcGVybWlzc2lvbnMgXG5Qb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgVW5yZXN0cmljdGVkIC1Db21tYW5kIFwiJHJldmVydCA9ICR0cnVlOyAkcGF0aEdsb2JQYXR0ZXJuID0gXCJeXCJcIiVTWVNURU1ST09UJVxcU3lzdGVtMzJcXG1zc2VjdXNlci5kbGwuT0xEXCJeXCJcIjsgJGV4cGFuZGVkUGF0aCA9IFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpFeHBhbmRFbnZpcm9ubWVudFZhcmlhYmxlcygkcGF0aEdsb2JQYXR0ZXJuKTsgV3JpdGUtSG9zdCBcIl5cIlwiU2VhcmNoaW5nIGZvciBpdGVtcyBtYXRjaGluZyBwYXR0ZXJuOiBgXCJeXCJcIiQoJGV4cGFuZGVkUGF0aClgXCJeXCJcIi5cIl5cIlwiOyAkcmVuYW1lZENvdW50ICAgPSAwOyAkc2tpcHBlZENvdW50ICAgPSAwOyAkZmFpbGVkQ291bnQgICAgPSAwOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gXCJeXCJcInVzaW5nIFN5c3RlbTtgcmBudXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzO2ByYG5wdWJsaWMgY2xhc3MgUHJpdmlsZWdlcyB7YHJgbiAgICBbRGxsSW1wb3J0KGBcIl5cIlwiYWR2YXBpMzIuZGxsYFwiXlwiXCIsIEV4YWN0U3BlbGxpbmcgPSB0cnVlLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV1gcmBuICAgIGludGVybmFsIHN0YXRpYyBleHRlcm4gYm9vbCBBZGp1c3RUb2tlblByaXZpbGVnZXMoSW50UHRyIGh0b2ssIGJvb2wgZGlzYWxsLGByYG4gICAgICAgIHJlZiBUb2tQcml2MUx1aWQgbmV3c3QsIGludCBsZW4sIEludFB0ciBwcmV2LCBJbnRQdHIgcmVsZW4pO2ByYG4gICAgW0RsbEltcG9ydChgXCJeXCJcImFkdmFwaTMyLmRsbGBcIl5cIlwiLCBFeGFjdFNwZWxsaW5nID0gdHJ1ZSwgU2V0TGFzdEVycm9yID0gdHJ1ZSldYHJgbiAgICBpbnRlcm5hbCBzdGF0aWMgZXh0ZXJuIGJvb2wgT3BlblByb2Nlc3NUb2tlbihJbnRQdHIgaCwgaW50IGFjYywgcmVmIEludFB0ciBwaHRvayk7YHJgbiAgICBbRGxsSW1wb3J0KGBcIl5cIlwiYWR2YXBpMzIuZGxsYFwiXlwiXCIsIFNldExhc3RFcnJvciA9IHRydWUpXWByYG4gICAgaW50ZXJuYWwgc3RhdGljIGV4dGVybiBib29sIExvb2t1cFByaXZpbGVnZVZhbHVlKHN0cmluZyBob3N0LCBzdHJpbmcgbmFtZSwgcmVmIGxvbmcgcGx1aWQpO2ByYG4gICAgW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwsIFBhY2sgPSAxKV1gcmBuICAgIGludGVybmFsIHN0cnVjdCBUb2tQcml2MUx1aWQge2ByYG4gICAgICAgIHB1YmxpYyBpbnQgQ291bnQ7YHJgbiAgICAgICAgcHVibGljIGxvbmcgTHVpZDtgcmBuICAgICAgICBwdWJsaWMgaW50IEF0dHI7YHJgbiAgICB9YHJgbiAgICBpbnRlcm5hbCBjb25zdCBpbnQgU0VfUFJJVklMRUdFX0VOQUJMRUQgPSAweDAwMDAwMDAyO2ByYG4gICAgaW50ZXJuYWwgY29uc3QgaW50IFRPS0VOX1FVRVJZID0gMHgwMDAwMDAwODtgcmBuICAgIGludGVybmFsIGNvbnN0IGludCBUT0tFTl9BREpVU1RfUFJJVklMRUdFUyA9IDB4MDAwMDAwMjA7YHJgbiAgICBwdWJsaWMgc3RhdGljIGJvb2wgQWRkUHJpdmlsZWdlKHN0cmluZyBwcml2aWxlZ2UpIHtgcmBuICAgICAgICB0cnkge2ByYG4gICAgICAgICAgICBib29sIHJldFZhbDtgcmBuICAgICAgICAgICAgVG9rUHJpdjFMdWlkIHRwO2ByYG4gICAgICAgICAgICBJbnRQdHIgaHByb2MgPSBHZXRDdXJyZW50UHJvY2VzcygpO2ByYG4gICAgICAgICAgICBJbnRQdHIgaHRvayA9IEludFB0ci5aZXJvO2ByYG4gICAgICAgICAgICByZXRWYWwgPSBPcGVuUHJvY2Vzc1Rva2VuKGhwcm9jLCBUT0tFTl9BREpVU1RfUFJJVklMRUdFUyB8IFRPS0VOX1FVRVJZLCByZWYgaHRvayk7YHJgbiAgICAgICAgICAgIHRwLkNvdW50ID0gMTtgcmBuICAgICAgICAgICAgdHAuTHVpZCA9IDA7YHJgbiAgICAgICAgICAgIHRwLkF0dHIgPSBTRV9QUklWSUxFR0VfRU5BQkxFRDtgcmBuICAgICAgICAgICAgcmV0VmFsID0gTG9va3VwUHJpdmlsZWdlVmFsdWUobnVsbCwgcHJpdmlsZWdlLCByZWYgdHAuTHVpZCk7YHJgbiAgICAgICAgICAgIHJldFZhbCA9IEFkanVzdFRva2VuUHJpdmlsZWdlcyhodG9rLCBmYWxzZSwgcmVmIHRwLCAwLCBJbnRQdHIuWmVybywgSW50UHRyLlplcm8pO2ByYG4gICAgICAgICAgICByZXR1cm4gcmV0VmFsO2ByYG4gICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBleCkge2ByYG4gICAgICAgICAgICB0aHJvdyBuZXcgRXhjZXB0aW9uKGBcIl5cIlwiRmFpbGVkIHRvIGFkanVzdCB0b2tlbiBwcml2aWxlZ2VzYFwiXlwiXCIsIGV4KTtgcmBuICAgICAgICB9YHJgbiAgICB9YHJgbiAgICBwdWJsaWMgc3RhdGljIGJvb2wgUmVtb3ZlUHJpdmlsZWdlKHN0cmluZyBwcml2aWxlZ2UpIHtgcmBuICAgICAgICB0cnkge2ByYG4gICAgICAgICAgICBib29sIHJldFZhbDtgcmBuICAgICAgICAgICAgVG9rUHJpdjFMdWlkIHRwO2ByYG4gICAgICAgICAgICBJbnRQdHIgaHByb2MgPSBHZXRDdXJyZW50UHJvY2VzcygpO2ByYG4gICAgICAgICAgICBJbnRQdHIgaHRvayA9IEludFB0ci5aZXJvO2ByYG4gICAgICAgICAgICByZXRWYWwgPSBPcGVuUHJvY2Vzc1Rva2VuKGhwcm9jLCBUT0tFTl9BREpVU1RfUFJJVklMRUdFUyB8IFRPS0VOX1FVRVJZLCByZWYgaHRvayk7YHJgbiAgICAgICAgICAgIHRwLkNvdW50ID0gMTtgcmBuICAgICAgICAgICAgdHAuTHVpZCA9IDA7YHJgbiAgICAgICAgICAgIHRwLkF0dHIgPSAwOyAgLy8gVGhpcyBsaW5lIGlzIGNoYW5nZWQgdG8gcmV2b2tlIHRoZSBwcml2aWxlZ2VgcmBuICAgICAgICAgICAgcmV0VmFsID0gTG9va3VwUHJpdmlsZWdlVmFsdWUobnVsbCwgcHJpdmlsZWdlLCByZWYgdHAuTHVpZCk7YHJgbiAgICAgICAgICAgIHJldFZhbCA9IEFkanVzdFRva2VuUHJpdmlsZWdlcyhodG9rLCBmYWxzZSwgcmVmIHRwLCAwLCBJbnRQdHIuWmVybywgSW50UHRyLlplcm8pO2ByYG4gICAgICAgICAgICByZXR1cm4gcmV0VmFsO2ByYG4gICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBleCkge2ByYG4gICAgICAgICAgICB0aHJvdyBuZXcgRXhjZXB0aW9uKGBcIl5cIlwiRmFpbGVkIHRvIGFkanVzdCB0b2tlbiBwcml2aWxlZ2VzYFwiXlwiXCIsIGV4KTtgcmBuICAgICAgICB9YHJgbiAgICB9YHJgbiAgICBbRGxsSW1wb3J0KGBcIl5cIlwia2VybmVsMzIuZGxsYFwiXlwiXCIsIENoYXJTZXQgPSBDaGFyU2V0LkF1dG8pXWByYG4gICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEN1cnJlbnRQcm9jZXNzKCk7YHJgbn1cIl5cIlwiOyBbUHJpdmlsZWdlc106OkFkZFByaXZpbGVnZSgnU2VSZXN0b3JlUHJpdmlsZWdlJykgfCBPdXQtTnVsbDsgW1ByaXZpbGVnZXNdOjpBZGRQcml2aWxlZ2UoJ1NlVGFrZU93bmVyc2hpcFByaXZpbGVnZScpIHwgT3V0LU51bGw7ICRhZG1pblNpZCA9IE5ldy1PYmplY3QgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5TZWN1cml0eUlkZW50aWZpZXIgJ1MtMS01LTMyLTU0NCc7ICRhZG1pbkFjY291bnQgPSAkYWRtaW5TaWQuVHJhbnNsYXRlKFtTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLk5UQWNjb3VudF0pOyAkYWRtaW5GdWxsQ29udHJvbEFjY2Vzc1J1bGUgPSBOZXctT2JqZWN0IFN5c3RlbS5TZWN1cml0eS5BY2Nlc3NDb250cm9sLkZpbGVTeXN0ZW1BY2Nlc3NSdWxlKCAkYWRtaW5BY2NvdW50LCBbU3lzdGVtLlNlY3VyaXR5LkFjY2Vzc0NvbnRyb2wuRmlsZVN5c3RlbVJpZ2h0c106OkZ1bGxDb250cm9sLCBbU3lzdGVtLlNlY3VyaXR5LkFjY2Vzc0NvbnRyb2wuQWNjZXNzQ29udHJvbFR5cGVdOjpBbGxvdyApOyAkZm91bmRBYnNvbHV0ZVBhdGhzID0gQCgpOyB0cnkgeyAkZm91bmRBYnNvbHV0ZVBhdGhzICs9IEAoOyBHZXQtSXRlbSAtUGF0aCAkZXhwYW5kZWRQYXRoIC1FcnJvckFjdGlvbiBTdG9wIHwgU2VsZWN0LU9iamVjdCAtRXhwYW5kUHJvcGVydHkgRnVsbE5hbWU7ICk7IH0gY2F0Y2ggW1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uSXRlbU5vdEZvdW5kRXhjZXB0aW9uXSB7IDwjIFN3YWxsb3csIGRvIG5vdCBydW4gYFRlc3QtUGF0aGAgYmVmb3JlLCBpdCdzIHVucmVsaWFibGUgZm9yIGdsb2JzIHJlcXVpcmluZyBleHRyYSBwZXJtaXNzaW9ucyAjPjsgfTsgJGZvdW5kQWJzb2x1dGVQYXRocyA9ICRmb3VuZEFic29sdXRlUGF0aHMgfCBTZWxlY3QtT2JqZWN0IC1VbmlxdWUgfCBTb3J0LU9iamVjdCAtUHJvcGVydHkgeyAkXy5MZW5ndGggfSAtRGVzY2VuZGluZzsgaWYgKCEkZm91bmRBYnNvbHV0ZVBhdGhzKSB7IFdyaXRlLUhvc3QgJ1NraXBwaW5nLCBubyBpdGVtcyBhdmFpbGFibGUuJzsgZXhpdCAwOyB9OyBXcml0ZS1Ib3N0IFwiXlwiXCJJbml0aWF0aW5nIHByb2Nlc3Npbmcgb2YgJCgkZm91bmRBYnNvbHV0ZVBhdGhzLkNvdW50KSBpdGVtcyBmcm9tIGBcIl5cIlwiJGV4cGFuZGVkUGF0aGBcIl5cIlwiLlwiXlwiXCI7IGZvcmVhY2ggKCRwYXRoIGluICRmb3VuZEFic29sdXRlUGF0aHMpIHsgaWYgKFRlc3QtUGF0aCAtUGF0aCAkcGF0aCAtUGF0aFR5cGUgQ29udGFpbmVyKSB7IFdyaXRlLUhvc3QgXCJeXCJcIlNraXBwaW5nIGZvbGRlciAobm90IGl0cyBjb250ZW50cyk6IGBcIl5cIlwiJHBhdGhgXCJeXCJcIi5cIl5cIlwiOyAkc2tpcHBlZENvdW50Kys7IGNvbnRpbnVlOyB9OyBpZigkcmV2ZXJ0IC1lcSAkdHJ1ZSkgeyBpZiAoLW5vdCAkcGF0aC5FbmRzV2l0aCgnLk9MRCcpKSB7IFdyaXRlLUhvc3QgXCJeXCJcIlNraXBwaW5nIG5vbi1iYWNrdXAgZmlsZTogYFwiXlwiXCIkcGF0aGBcIl5cIlwiLlwiXlwiXCI7ICRza2lwcGVkQ291bnQrKzsgY29udGludWU7IH07IH0gZWxzZSB7IGlmICgkcGF0aC5FbmRzV2l0aCgnLk9MRCcpKSB7IFdyaXRlLUhvc3QgXCJeXCJcIlNraXBwaW5nIGJhY2t1cCBmaWxlOiBgXCJeXCJcIiRwYXRoYFwiXlwiXCIuXCJeXCJcIjsgJHNraXBwZWRDb3VudCsrOyBjb250aW51ZTsgfTsgfTsgJG9yaWdpbmFsRmlsZVBhdGggPSAkcGF0aDsgV3JpdGUtSG9zdCBcIl5cIlwiUHJvY2Vzc2luZyBmaWxlOiBgXCJeXCJcIiRvcmlnaW5hbEZpbGVQYXRoYFwiXlwiXCIuXCJeXCJcIjsgaWYgKC1Ob3QgKFRlc3QtUGF0aCAkb3JpZ2luYWxGaWxlUGF0aCkpIHsgV3JpdGUtSG9zdCBcIl5cIlwiU2tpcHBpbmcsIGZpbGUgYFwiXlwiXCIkb3JpZ2luYWxGaWxlUGF0aGBcIl5cIlwiIG5vdCBmb3VuZC5cIl5cIlwiOyAkc2tpcHBlZENvdW50Kys7IGV4aXQgMDsgfTsgJG9yaWdpbmFsQWNsID0gR2V0LUFjbCAtUGF0aCBcIl5cIlwiJG9yaWdpbmFsRmlsZVBhdGhcIl5cIlwiOyAkYWNjZXNzR3JhbnRlZCA9ICRmYWxzZTsgdHJ5IHsgJGFjbCA9IEdldC1BY2wgLVBhdGggXCJeXCJcIiRvcmlnaW5hbEZpbGVQYXRoXCJeXCJcIjsgJGFjbC5TZXRPd25lcigkYWRtaW5BY2NvdW50KSA8IyBUYWtlIE93bmVyc2hpcCAoYmVjYXVzZSBmaWxlIGlzIG93bmVkIGJ5IFRydXN0ZWRJbnN0YWxsZXIpICM+OyAkYWNsLkFkZEFjY2Vzc1J1bGUoJGFkbWluRnVsbENvbnRyb2xBY2Nlc3NSdWxlKSA8IyBHcmFudCByaWdodHMgdG8gYmUgYWJsZSB0byBtb3ZlIHRoZSBmaWxlICM+OyBTZXQtQWNsIC1QYXRoICRvcmlnaW5hbEZpbGVQYXRoIC1BY2xPYmplY3QgJGFjbCAtRXJyb3JBY3Rpb24gU3RvcDsgJGFjY2Vzc0dyYW50ZWQgPSAkdHJ1ZTsgfSBjYXRjaCB7IFdyaXRlLVdhcm5pbmcgXCJeXCJcIkZhaWxlZCB0byBncmFudCBhY2Nlc3MgdG8gYFwiXlwiXCIkb3JpZ2luYWxGaWxlUGF0aGBcIl5cIlwiOiAkKCRfLkV4Y2VwdGlvbi5NZXNzYWdlKVwiXlwiXCI7IH07IGlmICgkcmV2ZXJ0IC1lcSAkdHJ1ZSkgeyAkbmV3RmlsZVBhdGggPSAkb3JpZ2luYWxGaWxlUGF0aC5TdWJzdHJpbmcoMCwgJG9yaWdpbmFsRmlsZVBhdGguTGVuZ3RoIC0gNCk7IH0gZWxzZSB7ICRuZXdGaWxlUGF0aCA9IFwiXlwiXCIkKCRvcmlnaW5hbEZpbGVQYXRoKS5PTERcIl5cIlwiOyB9OyB0cnkgeyBNb3ZlLUl0ZW0gLUxpdGVyYWxQYXRoIFwiXlwiXCIkKCRvcmlnaW5hbEZpbGVQYXRoKVwiXlwiXCIgLURlc3RpbmF0aW9uIFwiXlwiXCIkbmV3RmlsZVBhdGhcIl5cIlwiIC1Gb3JjZSAtRXJyb3JBY3Rpb24gU3RvcDsgV3JpdGUtSG9zdCBcIl5cIlwiU3VjY2Vzc2Z1bGx5IHByb2Nlc3NlZCBgXCJeXCJcIiRvcmlnaW5hbEZpbGVQYXRoYFwiXlwiXCIuXCJeXCJcIjsgJHJlbmFtZWRDb3VudCsrOyBpZiAoJGFjY2Vzc0dyYW50ZWQpIHsgdHJ5IHsgU2V0LUFjbCAtUGF0aCAkbmV3RmlsZVBhdGggLUFjbE9iamVjdCAkb3JpZ2luYWxBY2wgLUVycm9yQWN0aW9uIFN0b3A7IH0gY2F0Y2ggeyBXcml0ZS1XYXJuaW5nIFwiXlwiXCJGYWlsZWQgdG8gcmVzdG9yZSBhY2Nlc3Mgb24gYFwiXlwiXCIkbmV3RmlsZVBhdGhgXCJeXCJcIjogJCgkXy5FeGNlcHRpb24uTWVzc2FnZSlcIl5cIlwiOyB9OyB9OyB9IGNhdGNoIHsgV3JpdGUtRXJyb3IgXCJeXCJcIkZhaWxlZCB0byByZW5hbWUgYFwiXlwiXCIkb3JpZ2luYWxGaWxlUGF0aGBcIl5cIlwiIHRvIGBcIl5cIlwiJG5ld0ZpbGVQYXRoYFwiXlwiXCI6ICQoJF8uRXhjZXB0aW9uLk1lc3NhZ2UpXCJeXCJcIjsgJGZhaWxlZENvdW50Kys7IGlmICgkYWNjZXNzR3JhbnRlZCkgeyB0cnkgeyBTZXQtQWNsIC1QYXRoICRvcmlnaW5hbEZpbGVQYXRoIC1BY2xPYmplY3QgJG9yaWdpbmFsQWNsIC1FcnJvckFjdGlvbiBTdG9wOyB9IGNhdGNoIHsgV3JpdGUtV2FybmluZyBcIl5cIlwiRmFpbGVkIHRvIHJlc3RvcmUgYWNjZXNzIG9uIGBcIl5cIlwiJG9yaWdpbmFsRmlsZVBhdGhgXCJeXCJcIjogJCgkXy5FeGNlcHRpb24uTWVzc2FnZSlcIl5cIlwiOyB9OyB9OyB9OyB9OyBpZiAoKCRyZW5hbWVkQ291bnQgLWd0IDApIC1vciAoJHNraXBwZWRDb3VudCAtZ3QgMCkpIHsgV3JpdGUtSG9zdCBcIl5cIlwiU3VjY2Vzc2Z1bGx5IHByb2Nlc3NlZCAkcmVuYW1lZENvdW50IGl0ZW1zIGFuZCBza2lwcGVkICRza2lwcGVkQ291bnQgaXRlbXMuXCJeXCJcIjsgfTsgaWYgKCRmYWlsZWRDb3VudCAtZ3QgMCkgeyBXcml0ZS1XYXJuaW5nIFwiXlwiXCJGYWlsZWQgdG8gcHJvY2VzcyAkKCRmYWlsZWRDb3VudCkgaXRlbXMuXCJeXCJcIjsgfTsgW1ByaXZpbGVnZXNdOjpSZW1vdmVQcml2aWxlZ2UoJ1NlUmVzdG9yZVByaXZpbGVnZScpIHwgT3V0LU51bGw7IFtQcml2aWxlZ2VzXTo6UmVtb3ZlUHJpdmlsZWdlKCdTZVRha2VPd25lcnNoaXBQcml2aWxlZ2UnKSB8IE91dC1OdWxsXCIi

Help

How to apply or restore "Disable security event monitoring" using commands

≈ 2 min to complete
Tools: Command Prompt
Difficulty: Medium
≈ 3 instructions

View step-by-step guide with screenshots

1
Open Command Prompt
Open Command Prompt as Administrator.
2
Copy code
Copy the code:
Copy Apply Code Copy Revert Code
3
Paste & run
Paste the commands into Command Prompt and press Enter to run.
Some changes require a system restart to take effect

Similar Guides

Wider Goal

Guides below includes this guide to achieve a wider goal.

Disable system modification restrictions
Disable Defender
Privacy over security

This category disables features that restrict system modifications in Windows. This enables deeper system modifications, enhancing privacy by allowing th...

— Disable system modification restrictions

Same Goal

Other guides in Disable system modification restrictions

Disable Defender System Guard

Disable Defender Antivirus minifilter driver

Disable Defender Antivirus boot driver

Disable Secure Boot driver

Disable Tamper Protection

Disable virtualization-based security (VBS)

About the Creators

These people have authored this documentation and written its scripts:

undergroundwires
- Certified security professional
- 7+ years experience securing banks
- Open-source developer since 2005
- EU advisor, Public Speaker, Moderator
Open-Source Contributors
- Hundreds across the globe
- Testers, reviewers, developers
- Companies, military agencies
- Community since 2017

About Us

Reviewed By

This guide has undergone comprehensive auditing and peer review:

Expert review by undergroundwires
- Verified technical accuracy and editorial standards
- Assessed system impact and user privacy risks
- Audited and verified using automated security tests
Public review by large community
- Privacy enthusiasts and professionals peer-reviewed
- Millions of end-users tested across different environments
- Audited and verified using third-party security software

History

We continually monitor our guides, their impact and other potential privacy options. We update our guides when new information becomes available. On every update, we publicly store who made the change, what has been changed, why the change was made and when the change was made.

Review Change History Our Change Process

Overview​

Technical Details​

Overview of default service statuses​

Increased Privacy

Decreased Security

Apply Now​

Download script​

How to apply or restore "Disable security event monitoring" using script​

Download

Keep the file

Open

Exit

Restart

Apply with privacy.sexy​

How to apply or restore "Disable security event monitoring" using privacy.sexy​

Open or download

Choose script

Run

Run commands​

How to apply or restore "Disable security event monitoring" using commands​

Open Command Prompt

Copy code

Paste & run

Similar Guides​

Wider Goal​

Same Goal​

About the Creators​

Reviewed By​

Expert review by undergroundwires​

Public review by large community​

History​

Overview

Technical Details

Overview of default service statuses

Apply Now

Download script

How to apply or restore "Disable security event monitoring" using script

Apply with privacy.sexy

How to apply or restore "Disable security event monitoring" using privacy.sexy

Run commands

How to apply or restore "Disable security event monitoring" using commands

Similar Guides

Wider Goal

Same Goal

About the Creators

Reviewed By

Expert review by undergroundwires

Public review by large community

History