Skip to main content

Disable insecure "RC4" ciphers

Overview

About this script

This script improves your privacy on Windows.

These changes use Windows system commands to update your settings.

This script disables the RC4 ciphers.

This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection.

Authorities like Microsoft 1 2 3 4 5, NIST (FIPS) 6, CIS 7, Federal Office for Information Security (BSI) 8, OWASP 9, and NSA (National Security Agency) 10 classify this algorithm as weak and recommend against its use.

This script disables these cipher algorithms:

  • RC4 128/128 1 6 7 8 (128-bit RC4 6):
  • Enabled by default 6 7.
  • Disabling it disallows the following cipher suites:
    • SSL_RSA_WITH_RC4_128_MD5 1 6
    • SSL_RSA_WITH_RC4_128_SHA 1 6
    • TLS_RSA_WITH_RC4_128_MD5 1 6
    • TLS_RSA_WITH_RC4_128_SHA 1 6
  • RC4 64/128 2 6 7 8 (64-bit RC4 6):
  • Enabled by default 6.
  • Disabling it affects the functionality of the **Microsoft Money application 6.
  • RC4 56/128 3 6 7 8 (56-bit RC4 6):
  • Enabled by default 6.
  • Disabling it disallows the following cipher suites:
    • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 3 6
  • RC4 40/128 4 6 7 8 (40-bit RC4 6):
  • Enabled by default 6.
  • Disabling this algorithm will disallow the following cipher suites:
    • SSL_RSA_EXPORT_WITH_RC4_40_MD5 4 6
    • TLS_RSA_EXPORT_WITH_RC4_40_MD5 4 6
Caution

This may cause compatibility issues with older devices or software.

This script uses Batch (batchfile) scripting language.

Use with Caution

This script is only recommended if you understand its implications. Some non-critical or features may no longer function correctly after running this script.

Implementation Details
  • Language: batch

  • Required Privileges: Administrator rights

  • Compatibility: Windows only

  • Reversibility: Can be undone using provided revert script

Explore Categories

This action belongs to Disable insecure ciphers category. This category improves network security by disabling outdated and less secure cipher suites. Cipher suites are sets of cryptographic algorithms used to secure network connections. They include ciphers, known as bulk encryption algorithms or simply bulk ciphers. Ciphers encrypt... Read more on category page ▶

Apply now

Choose one of three ways to apply:

  1. Automatically via privacy.sexy: The easiest and safest option.
  2. Manually by downloading: Requires downloading a file.
  3. Manually by copying: Advanced flexibility.

Alternative 1. Apply with Privacy.sexy

privacy.sexy is free and open-source application that lets securely apply this action easily.

Open privacy.sexy

You can fully restore this action (revert back to the original behavior) using the application.

privacy.sexy instructions
  1. Open or download the desktop application
  2. Search for the script name: Disable insecure "RC4" ciphers.
  3. Check the script by clicking on the checkbox.
  4. Click on Run button at the bottom of the page.

Alternative 2. Download

Irreversible Changes

This script is irreversible, meaning there is no straightforward method to restore changes once applied. Exercise caution before running, restoring it may not be possible.

  1. Download the script file by clicking on the button below:

    Download script

  2. Run the script file by clicking on it.

Download revert script

This file restores your system to its original state, before this script is applied.

Download restore script

Alternative 3. Copy

This is for advanced users. Consider automatically applying or downloading the script for simpler way.

  1. Open Command Prompt as administrator.
HELP: Step-by-step guide
  1. Click on Start menu

  2. Type cmd

  3. Right click on Command Prompt select Run as administrator

  4. Click on Yes to run Command Prompt


Animation showing how to open terminal as administrator on Windows 11

  1. Copy the following code:
Code to apply changes
:: Disable the use of "RC4 128/128" cipher algorithm for TLS/SSL connections
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' /v 'Enabled' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Disable the use of "RC4 64/128" cipher algorithm for TLS/SSL connections
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' /v 'Enabled' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Disable the use of "RC4 56/128" cipher algorithm for TLS/SSL connections
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' /v 'Enabled' /t 'REG_DWORD' /d "^""$data"^"" /f"
:: Disable the use of "RC4 40/128" cipher algorithm for TLS/SSL connections
:: Set the registry value: "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "$registryPath = 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128'; $data = '0'; reg add 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' /v 'Enabled' /t 'REG_DWORD' /d "^""$data"^"" /f"
  1. Right click on command prompt to paste it.
  2. Press Enter to apply remaining code.

Copy restore code

Copy and run the following code to restore changes:

Revert code
:: Restore the use of "RC4 128/128" cipher algorithm for TLS/SSL connections
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' /v 'Enabled' /f 2>$null"
:: Restore the use of "RC4 64/128" cipher algorithm for TLS/SSL connections
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' /v 'Enabled' /f 2>$null"
:: Restore the use of "RC4 56/128" cipher algorithm for TLS/SSL connections
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' /v 'Enabled' /f 2>$null"
:: Restore the use of "RC4 40/128" cipher algorithm for TLS/SSL connections
:: Delete the registry value "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128!Enabled"
PowerShell -ExecutionPolicy Unrestricted -Command "reg delete 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' /v 'Enabled' /f 2>$null"

Support

This website relies on your support.

Support now

Your donation helps keep the project alive and improves its content ❤️.

Share this page: